NetBSD Problem Report #34740

From roland@roland-illig.de  Sat Oct  7 11:50:37 2006
Return-Path: <roland@roland-illig.de>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by narn.NetBSD.org (Postfix) with ESMTP id 9EED063B8CA
	for <gnats-bugs@gnats.NetBSD.org>; Sat,  7 Oct 2006 11:50:37 +0000 (UTC)
Message-Id: <20061007115030.A77D8F35E@bacc.roland-illig.de>
Date: Sat,  7 Oct 2006 13:50:30 +0200 (CEST)
From: rillig@NetBSD.org
Reply-To: rillig@NetBSD.org
To: gnats-bugs@NetBSD.org
Subject: usr.sbin/user/user.c:asystem hides bugs
X-Send-Pr-Version: 3.95

>Number:         34740
>Category:       bin
>Synopsis:       usr.sbin/user/user.c:asystem hides bugs
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Oct 07 11:55:00 +0000 2006
>Last-Modified:  Sun Oct 08 09:00:07 +0000 2006
>Originator:     Roland Illig
>Release:        NetBSD-current
>Organization:
>Environment:
>Description:

The asystem() function does not handle directories containing
white-space. It also does not have error checking to prevent the command
from being truncated.

>How-To-Repeat:
	useradd -d "/home/Roland Illig" roland

>Fix:

Integrate sysfmt(3) into user.c, which is available from

    http://www.schlechte-software.de/sysfmt/

>Audit-Trail:
From: Elad Efrat <elad@NetBSD.org>
To: gnats-bugs@NetBSD.org
Cc: netbsd-bugs@netbsd.org
Subject: Re: bin/34740: usr.sbin/user/user.c:asystem hides bugs
Date: Sat, 07 Oct 2006 17:20:52 +0200

 rillig@NetBSD.org wrote:

 > The asystem() function does not handle directories containing
 > white-space. It also does not have error checking to prevent the command
 > from being truncated.
 > 
 >> How-To-Repeat:
 > 	useradd -d "/home/Roland Illig" roland
 > 
 >> Fix:
 > 
 > Integrate sysfmt(3) into user.c, which is available from
 > 
 >     http://www.schlechte-software.de/sysfmt/

 And why can't you just commit the code yourself?

 -e.

 -- 
 Elad Efrat

From: jnemeth@victoria.tc.ca (John Nemeth)
To: Elad Efrat <elad@NetBSD.org>, gnats-bugs@NetBSD.org
Cc: netbsd-bugs@NetBSD.org
Subject: Re: bin/34740: usr.sbin/user/user.c:asystem hides bugs
Date: Sun, 8 Oct 2006 01:57:45 -0700

 On Feb 27, 11:56am, Elad Efrat wrote:
 } rillig@NetBSD.org wrote:
 } 
 } > The asystem() function does not handle directories containing
 } > white-space. It also does not have error checking to prevent the command
 } > from being truncated.
 } > 
 } >> How-To-Repeat:
 } > 	useradd -d "/home/Roland Illig" roland
 } > 
 } >> Fix:
 } > 
 } > Integrate sysfmt(3) into user.c, which is available from
 } > 
 } >     http://www.schlechte-software.de/sysfmt/
 } 
 } And why can't you just commit the code yourself?

      I think a better solution would be to create utility functions for
 this purpose (i.e. add to libutil) and adapt user to use it.  For
 various projects, I have taken both system() and popen() and converted
 them to take full path to command and argv, and use exec* to run the
 command (i.e. safe versions of those functions).

 }-- End of excerpt from Elad Efrat

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.