Closed alejandro-colomar closed 7 hours ago
Side question:
@thesamesam , @jubalh , @ikerexxe do you want a fix backported to stable branches?
It might imply backporting a significant amount of refactors. (I don't mind doing the work, but it might introduce accidental regressions in stable branches; hopefully zero, but)
Edit: never mind; it seems it doesn't require so many refactors. I'll backport it.
I wonder whether any distros use /etc/porttime.
I was wondering the same.
I was trying to simplify some code, and found what I believe is a buffer overrun. It's in lib/port.c, and can be triggered by a line in </etc/porttime> which contains at least 64 ',' characters and no ':' at all. Of course, only root would be able to craft such a file in a normal system, so this shouldn't be a security issue.
https://github.com/shadow-maint/shadow/blob/060b0849a6433a17685cf73b1816603b00657f95/lib/port.c#L183-L202
Line 201 seems to be unreachable.
For
(':' != *cp)
to be true in line 200, we need it to also be true in line 183.If
(':' != *cp)
is true in line 183, line 187 loops --advancing in the string-- until it becomes false (which might never). There's no stop at the end of the string.Affected programs: login(1), logoutd(8), su(1)