Bugtraq mailing list archives
Re: Buffer Overrun / DOS in /bin/passwd (at least Redhat Linux
From: deraadt () CVS OPENBSD ORG (Theo de Raadt)
Date: Fri, 19 Dec 1997 15:08:27 -0700
In OpenBSD, we constrain the password line to be 1023 characters long (_including_ expansion in the gecos field of all cases of '&' -> username). Perhaps this strict constraint isn't the perfect solution to the problem, but it sure has stopped a few root holes. One day we'll rewrite it better: allow longer lengths, but check in lots of places. (However a current benefit of this scheme is that the 1023 character constraint also helps for the YP server case). This solution saved us from the sendmail overflow in buildfname().
Current thread:
- mIRC Worm, (continued)
- mIRC Worm Aleph One (Dec 18)
- Re: mIRC Worm Nigel Reed (Dec 18)
- Re: mIRC Worm Paul Wilson (Dec 18)
- StackGuard: Automatic Protection From Stack-smashing Attacks Crispin Cowan (Dec 18)
- Re: StackGuard: Automatic Protection From Stack-smashing Attacks Tim Newsham (Dec 19)
- Re: StackGuard: Automatic Protection From Stack-smashing Attacks Theo de Raadt (Dec 19)
- Xotpcalc, version 1.0 Ivan Nejgebauer (Dec 19)
- Buffer Overrun / DOS in /bin/passwd (at least Redhat Linux 4.2) Alex Mottram (Dec 19)
- Re: Buffer Overrun / DOS in /bin/passwd (at least Redhat Linux Alec Muffett (Dec 19)
- f00f.patch (fwd) Ejovi (Dec 19)
- Re: Buffer Overrun / DOS in /bin/passwd (at least Redhat Linux Theo de Raadt (Dec 19)
- Administratrivia Aleph One (Dec 19)