[Pkg-shadow-devel] strncpy misused in shadow 4.1.4.3 login program

[debweb at nospam.scs.stanford.edu]

There are two places in the shadow package where the strncpy function
is mis-used.  strncpy does not guarantee that the output string is
NUL-terminated, but the following code seems to assume that it is

This is not super-easy to exploit, but on a machine with a very long
hostname *and* an attacker who can control the LOCALE and make a very
localized string for "login: ", this will lead to a buffer overrun.

One possible fix is to replace the calls to strncpy with calls to
strlcpy.  (strlcpy is the function designed to be used in this case.)
If you don't like strlcpy because it is less portable, then the
following patch should eliminate the problem:

diff -ur shadow-4.1.4.3.orig/src/login.c shadow-4.1.4.3/src/login.c
--- shadow-4.1.4.3.orig/src/login.c	2011-03-05 22:17:10.032524948 -0800
+++ shadow-4.1.4.3/src/login.c	2011-03-05 22:17:59.154342059 -0800
@@ -748,8 +748,9 @@
 			          sizeof (loginprompt),
 			          _("%s login: "), hostn);
 		} else {
+		        loginprompt[sizeof (loginprompt) - 1] = '\0';
 			strncpy (loginprompt, _("login: "),
-			         sizeof (loginprompt));
+			         sizeof (loginprompt) - 1);
 		}
 
 		retcode = pam_set_item (pamh, PAM_USER_PROMPT, loginprompt);
diff -ur shadow-4.1.4.3.orig/src/usermod.c shadow-4.1.4.3/src/usermod.c
--- shadow-4.1.4.3.orig/src/usermod.c	2011-03-05 22:17:10.029191265 -0800
+++ shadow-4.1.4.3/src/usermod.c	2011-03-05 22:18:42.665576968 -0800
@@ -182,7 +182,8 @@
 	struct tm *tp;
 
 	if ((negativ != NULL) && (date < 0)) {
-		strncpy (buf, negativ, maxsize);
+	        buf[maxsize - 1] = '\0';
+		strncpy (buf, negativ, maxsize - 1);
 	} else {
 		time_t t = (time_t) date;
 		tp = gmtime (&t);