NetBSD Problem Report #34740
From roland@roland-illig.de Sat Oct 7 11:50:37 2006
Return-Path: <roland@roland-illig.de>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by narn.NetBSD.org (Postfix) with ESMTP id 9EED063B8CA
for <gnats-bugs@gnats.NetBSD.org>; Sat, 7 Oct 2006 11:50:37 +0000 (UTC)
Message-Id: <20061007115030.A77D8F35E@bacc.roland-illig.de>
Date: Sat, 7 Oct 2006 13:50:30 +0200 (CEST)
From: rillig@NetBSD.org
Reply-To: rillig@NetBSD.org
To: gnats-bugs@NetBSD.org
Subject: usr.sbin/user/user.c:asystem hides bugs
X-Send-Pr-Version: 3.95
>Number: 34740
>Category: bin
>Synopsis: usr.sbin/user/user.c:asystem hides bugs
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat Oct 07 11:55:00 +0000 2006
>Last-Modified: Sun Oct 08 09:00:07 +0000 2006
>Originator: Roland Illig
>Release: NetBSD-current
>Organization:
>Environment:
>Description:
The asystem() function does not handle directories containing
white-space. It also does not have error checking to prevent the command
from being truncated.
>How-To-Repeat:
useradd -d "/home/Roland Illig" roland
>Fix:
Integrate sysfmt(3) into user.c, which is available from
http://www.schlechte-software.de/sysfmt/
>Audit-Trail:
From: Elad Efrat <elad@NetBSD.org>
To: gnats-bugs@NetBSD.org
Cc: netbsd-bugs@netbsd.org
Subject: Re: bin/34740: usr.sbin/user/user.c:asystem hides bugs
Date: Sat, 07 Oct 2006 17:20:52 +0200
rillig@NetBSD.org wrote:
> The asystem() function does not handle directories containing
> white-space. It also does not have error checking to prevent the command
> from being truncated.
>
>> How-To-Repeat:
> useradd -d "/home/Roland Illig" roland
>
>> Fix:
>
> Integrate sysfmt(3) into user.c, which is available from
>
> http://www.schlechte-software.de/sysfmt/
And why can't you just commit the code yourself?
-e.
--
Elad Efrat
From: jnemeth@victoria.tc.ca (John Nemeth)
To: Elad Efrat <elad@NetBSD.org>, gnats-bugs@NetBSD.org
Cc: netbsd-bugs@NetBSD.org
Subject: Re: bin/34740: usr.sbin/user/user.c:asystem hides bugs
Date: Sun, 8 Oct 2006 01:57:45 -0700
On Feb 27, 11:56am, Elad Efrat wrote:
} rillig@NetBSD.org wrote:
}
} > The asystem() function does not handle directories containing
} > white-space. It also does not have error checking to prevent the command
} > from being truncated.
} >
} >> How-To-Repeat:
} > useradd -d "/home/Roland Illig" roland
} >
} >> Fix:
} >
} > Integrate sysfmt(3) into user.c, which is available from
} >
} > http://www.schlechte-software.de/sysfmt/
}
} And why can't you just commit the code yourself?
I think a better solution would be to create utility functions for
this purpose (i.e. add to libutil) and adapt user to use it. For
various projects, I have taken both system() and popen() and converted
them to take full path to command and argv, and use exec* to run the
command (i.e. safe versions of those functions).
}-- End of excerpt from Elad Efrat
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.