git.ipfire.org Git - thirdparty/util-linux.git/commit

author	Karel Zak <kzak@redhat.com>
	Mon, 24 Aug 2015 08:05:55 +0000 (10:05 +0200)
committer	Karel Zak <kzak@redhat.com>
	Mon, 24 Aug 2015 08:05:55 +0000 (10:05 +0200)
commit	bde91c85bdc77975155058276f99d2e0f5eab5a9
tree	c9bf09e5f6ff82913d7b61561e3dfa134d2be199	tree \| snapshot
parent	3db75b1a8e0f40b9b0d788e7549f93d031c34fea	commit \| diff

chsh, chfn, vipw: fix filenames collision

The utils when compiled WITHOUT libuser then mkostemp()ing
"/etc/%s.XXXXXX" where the filename prefix is argv[0] basename.

An attacker could repeatedly execute the util with modified argv[0]
and after many many attempts mkostemp() may generate suffix which
makes sense. The result maybe temporary file with name like rc.status
ld.so.preload or krb5.keytab, etc.

Note that distros usually use libuser based ch{sh,fn} or stuff from
shadow-utils.

It's probably very minor security bug.

Addresses: CVE-2015-5224
Signed-off-by: Karel Zak <kzak@redhat.com>

include/fileutils.h		diff \| blob \| blame \| history
lib/fileutils.c		diff \| blob \| blame \| history
login-utils/chfn.c		diff \| blob \| blame \| history
login-utils/chsh.c		diff \| blob \| blame \| history
login-utils/setpwnam.c		diff \| blob \| blame \| history
login-utils/setpwnam.h		diff \| blob \| blame \| history
login-utils/vipw.c		diff \| blob \| blame \| history