From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.4.2) Gecko/20040308 Description of problem: During a code review, I found several issues with the programs in the passwd rpm. Notibly, the passwd program has an off by 1 in the case of --stdin. buffer is 80, len passed to read is 79, location 78 is 0'ed. This is more noticeable if you imagine i == 1 after read. Also, if read returns an error, the program continues as if nothing bad happened and tries to zero buffer[-2]; Also, pam_start was not being checked for its return code. Various minor memory leaks. Version-Release number of selected component (if applicable): passwd-0.68 How reproducible: Always Steps to Reproduce: Found during code review. Additional info: I will attach a patch that fixes these. I did not look at prior versions to see if these issues exist.
Created attachment 99118 [details] Patch that fixes bugs found by code review. Please apply before releasing fedora core 2.
Created attachment 99912 [details] Revised patch The off by one problem was found to be used to remove the \n. Therefore the patch needed updating. Please use this one instead.
Note btw that there is a small behavioour change if the user uses ^V before newl ine characters. The new behaviour seems somewhat wiser however.
At one point, I had: if (i && newPassword[i-1] == '\n') newPassword[i-1] = 0; It was suggested on vend-sec to just do a strchr instead. I suppose they may have meant strrchr.
Hello Steve, most things from your patch were applied. Thanks, Jindrich