Bug 71152 - Passwd --stdin doesn't handle read errors
Passwd --stdin doesn't handle read errors
Product: Red Hat Linux
Classification: Retired
Component: passwd (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Mike McLean
Depends On:
Blocks: 80220
  Show dependency treegraph
Reported: 2002-08-09 08:19 EDT by Jarno Huuskonen
Modified: 2007-04-18 12:45 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-05-25 11:25:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jarno Huuskonen 2002-08-09 08:19:12 EDT
Description of Problem:
passwd has --stdin option to take new password from stdin. The passwd code
doesn't seem to handle read errors from stdin:
                char newPassword[80];
                int i;

                i = read(STDIN_FILENO, newPassword,
                         sizeof(newPassword) - 1);
                newPassword[i - 1] = '\0';
                conv.conv = stdin_conv;
                conv.appdata_ptr = strdup(newPassword);

If the read call returns -1 or 0 then the code writes \0 byte out of newPassword
array and copies "random" memory as new password. Fortunately the --stdin option
is restricted to root.

Version-Release number of selected component (if applicable):
Name        : passwd                       Relocations: (not relocateable)
Version     : 0.67                              Vendor: Red Hat, Inc.
Release     : 1                             Build Date: Thu Mar 14 03:44:31 2002

(I looked at the passwd code from RH 6.2 (passwd-0.64.1-1) and it appears to
have the same problem).

Expected result:
passwd should handle possible read error from stdin instead of setting the
password to "junk"
Comment 2 Tomas Mraz 2005-05-25 11:25:55 EDT
This is fixed in the current Fedora Core and RHEL releases.

Note You need to log in before you can comment on or make changes to this bug.