[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
server.c writes free'd pointer into system log
From: |
Eric Hanchrow |
Subject: |
server.c writes free'd pointer into system log |
Date: |
26 Jun 2001 08:23:31 -0700 |
User-agent: |
Gnus/5.09 (Gnus v5.9.0) Emacs/21.0.103 |
I downloaded cvs-1.11.1p1, and was stepping through it out of
curiosity. I saw in server.c, starting at line 5810:
memset (descrambled_password, 0, strlen (descrambled_password));
free (descrambled_password);
if (host_user == NULL)
{
#ifdef HAVE_SYSLOG_H
syslog (LOG_DAEMON | LOG_NOTICE, "login failure (for %s)",
repository);
#ifdef LOG_AUTHPRIV
syslog (LOG_AUTHPRIV | LOG_NOTICE, "login failure by %s / %s (for
%s)",
username, descrambled_password, repository);
#endif
#endif
This writes garbage into the system log -- it `free's
descrambled_password, and then passes it to syslog.
It's also not clear whether it's even a good idea to log a failed
password. I (and I suspect many other people), while trying to log in
to system X, sometimes accidentally type a password for some other
system Y ; if system X (the CVS server, in this case) logs that
password, then it's been compromised. If you must log, then at the
very least, log the scrambled version (in which case the variable
`password' in the function `pserver_authenticate_connection' ought to
be renamed to something like `password_scrambled').
The obvious (to me, anyway) fix is this:
cd /usr/local/src/cvs-1.11.1p1/src/
diff -wu /usr/local/src/cvs-1.11.1p1/src/server.c\~
/usr/local/src/cvs-1.11.1p1/src/server.c
--- /usr/local/src/cvs-1.11.1p1/src/server.c~ Thu Apr 19 12:34:04 2001
+++ /usr/local/src/cvs-1.11.1p1/src/server.c Tue Jun 26 08:21:25 2001
@@ -5815,7 +5815,7 @@
syslog (LOG_DAEMON | LOG_NOTICE, "login failure (for %s)",
repository);
#ifdef LOG_AUTHPRIV
syslog (LOG_AUTHPRIV | LOG_NOTICE, "login failure by %s / %s (for
%s)",
- username, descrambled_password, repository);
+ username, password, repository);
#endif
#endif
i_hate_you:
Diff finished at Tue Jun 26 08:21:27
--
PGP Fingerprint: 3E7B A3F3 96CA 8958 ACC5 C8BD 6337 0041 C01C 5276
- server.c writes free'd pointer into system log,
Eric Hanchrow <=