diff options
| author | mancha <mancha1@hush.com> | 2013-05-22 07:20:26 -0700 |
|---|---|---|
| committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-06-07 16:26:46 -0700 |
| commit | 8d1eb5c74413e4c9a21f689fc106949b121c0117 (patch) | |
| tree | 79ddad90b9da1b4983271975d734b2b349ba4c27 | |
| parent | 642d73c50ae19a55975919c84191da15b31608a4 (diff) | |
Handle NULL returns from glibc 2.17+ crypt().
Starting with glibc 2.17 (eglibc 2.17), crypt() fails with EINVAL
(w/ NULL return) if the salt violates specifications. Additionally,
on FIPS-140 enabled Linux systems, DES/MD5-encrypted passwords
passed to crypt() fail with EPERM (w/ NULL return).
If using glibc's crypt(), check return value to avoid a possible
NULL pointer dereference.
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Notes
Fixes CVE-2013-2179
| -rw-r--r-- | greeter/verify.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/greeter/verify.c b/greeter/verify.c index db3cb7d..b009e2b 100644 --- a/greeter/verify.c +++ b/greeter/verify.c @@ -329,6 +329,7 @@ Verify (struct display *d, struct greet_info *greet, struct verify_info *verify) struct spwd *sp; # endif char *user_pass = NULL; + char *crypted_pass = NULL; # endif # ifdef __OpenBSD__ char *s; @@ -464,7 +465,9 @@ Verify (struct display *d, struct greet_info *greet, struct verify_info *verify) # if defined(ultrix) || defined(__ultrix__) if (authenticate_user(p, greet->password, NULL) < 0) # else - if (strcmp (crypt (greet->password, user_pass), user_pass)) + crypted_pass = crypt (greet->password, user_pass); + if ((crypted_pass == NULL) + || (strcmp (crypted_pass, user_pass))) # endif { if(!greet->allow_null_passwd || strlen(p->pw_passwd) > 0) { |