56528 – johntheripper: homepath-bug (serious in 1.6)

Bug 56528 - johntheripper: homepath-bug (serious in 1.6)

Summary: johntheripper: homepath-bug (serious in 1.6)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Daniel Black (RETIRED)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2004-07-09 03:11 UTC by Alexander Holler
Modified:	2004-12-31 22:51 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Holler 2004-07-09 03:11:51 UTC

Calling

/usr/sbin/john -wordfile=/bla/wordlist -rules -stdout=13

results with version 1.6 that /usr/sbin/restore will be overwritten (if root calls john) which imho is a serious bug.


With 1.63 john will try to write to /usr/sbin/john.rec

The reason can be found in path_init (path.c) which is called from main.c and sets the homepath to the directory where the binary is.

I suggest calling path_init with getenv("HOME") as parameter.

Regards,

Alexander

Reproducible: Always
Steps to Reproduce:
1.
2.
3.

Comment 1 Daniel Black (RETIRED) gentoo-dev

2004-07-10 15:40:39 UTC

will later - overseas at the moment. I'm putting together a big patch set for john and will definately look at this one.

Comment 2 Daniel Black (RETIRED) gentoo-dev

2004-07-22 16:11:31 UTC

changed in my compiled patchset. Will release when I get some of that mythical time.

Comment 3 Daniel Black (RETIRED) gentoo-dev

2004-09-24 06:37:14 UTC

sorry for neglecting this bug.

http://dev.gentoo.org/~dragonheart/john.tar.bz2 is a tarball is my little workspace with unpatched and patched version of john. Feel free to submit patches.

Comment 4 Daniel Black (RETIRED) gentoo-dev

2004-12-31 22:51:11 UTC

Fixed in johntheripper-1.6.37_p1. Thanks for your patience.