bug-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: server.c writes free'd pointer into system log


From: Larry Jones
Subject: Re: server.c writes free'd pointer into system log
Date: Tue, 26 Jun 2001 16:48:47 -0400 (EDT)

Eric Hanchrow writes:
> 
> I downloaded cvs-1.11.1p1, and was stepping through it out of
> curiosity.  I saw in server.c, starting at line 5810:
[...]
> This writes garbage into the system log -- it `free's
> descrambled_password, and then passes it to syslog.

Right you are.  I've checked in a fix for this problem.  Thanks!

> It's also not clear whether it's even a good idea to log a failed
> password.  I (and I suspect many other people), while trying to log in
> to system X, sometimes accidentally type a password for some other
> system Y ; if system X (the CVS server, in this case) logs that
> password, then it's been compromised.  If you must log, then at the
> very least, log the scrambled version (in which case the variable
> `password' in the function `pserver_authenticate_connection' ought to
> be renamed to something like `password_scrambled').

Note that it's only logged if the LOG_AUTHPRIV facility is defined,
which not many systems do.  That facility is specifically intended for
logging sensitive information (like passwords), so the corresponding log
file is usually readable only by root.  One of the most frustrating
problems people have is being unable to login to a pserver and not being
able to figure out why -- logging the complete login information makes
such problems much easier to track down.  Logging the scrambled password
wouldn't improve security since the scrambling algorithm is simple and
public, it would just make using the log less convenient.

-Larry Jones

OK, there IS a middle ground, but it's for sissy weasels. -- Calvin



reply via email to

[Prev in Thread] Current Thread [Next in Thread]