bug-cvs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

server.c writes free'd pointer into system log

From: Eric Hanchrow
Subject: server.c writes free'd pointer into system log
Date: 26 Jun 2001 08:23:31 -0700
User-agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.0.103 
I downloaded cvs-1.11.1p1, and was stepping through it out of
curiosity.  I saw in server.c, starting at line 5810:

        memset (descrambled_password, 0, strlen (descrambled_password));
        free (descrambled_password);
        if (host_user == NULL)
        {
    #ifdef HAVE_SYSLOG_H
            syslog (LOG_DAEMON | LOG_NOTICE, "login failure (for %s)", 
repository);
    #ifdef LOG_AUTHPRIV
            syslog (LOG_AUTHPRIV | LOG_NOTICE, "login failure by %s / %s (for 
%s)",
                    username, descrambled_password, repository);
    #endif
    #endif

This writes garbage into the system log -- it `free's
descrambled_password, and then passes it to syslog.

It's also not clear whether it's even a good idea to log a failed
password.  I (and I suspect many other people), while trying to log in
to system X, sometimes accidentally type a password for some other
system Y ; if system X (the CVS server, in this case) logs that
password, then it's been compromised.  If you must log, then at the
very least, log the scrambled version (in which case the variable
`password' in the function `pserver_authenticate_connection' ought to
be renamed to something like `password_scrambled').

The obvious (to me, anyway) fix is this:

    cd /usr/local/src/cvs-1.11.1p1/src/
    diff -wu /usr/local/src/cvs-1.11.1p1/src/server.c\~ 
/usr/local/src/cvs-1.11.1p1/src/server.c
    --- /usr/local/src/cvs-1.11.1p1/src/server.c~       Thu Apr 19 12:34:04 2001
    +++ /usr/local/src/cvs-1.11.1p1/src/server.c        Tue Jun 26 08:21:25 2001
    @@ -5815,7 +5815,7 @@
            syslog (LOG_DAEMON | LOG_NOTICE, "login failure (for %s)", 
repository);
     #ifdef LOG_AUTHPRIV
             syslog (LOG_AUTHPRIV | LOG_NOTICE, "login failure by %s / %s (for 
%s)",
    -           username, descrambled_password, repository);
    +           username, password, repository);
     #endif
     #endif
         i_hate_you:

    Diff finished at Tue Jun 26 08:21:27


-- 
PGP Fingerprint: 3E7B A3F3 96CA 8958 ACC5  C8BD 6337 0041 C01C 5276
reply via email to
[Prev in Thread] Current Thread [Next in Thread]