Hey, So I just looked at 4.0.3 (I have no idea if that is the latest version, I got it from the slackware site, for slack 10.2) and here is the vulnerable code: if (argc > 1 && argv[1][0] == '-' && strchr ("gfs", argv[1][1])) { char buf[200]; setuid (getuid ()); switch (argv[1][1]) { case 'g': argv[1] = GPASSWD_PROGRAM; /* XXX warning: const */ break; case 'f': argv[1] = CHFN_PROGRAM; /* XXX warning: const */ break; case 's': argv[1] = CHSH_PROGRAM; /* XXX warning: const */ break; default: usage (E_BAD_ARG); } snprintf (buf, sizeof buf, _("%s: Cannot execute %s"), Prog, argv[1]); execvp (argv[1], &argv[1]); perror (buf); SYSLOG ((LOG_ERR, "cannot execute %s", argv[1])); closelog (); exit (E_FAILURE); } it is located inside main() ! Regards, Ilja van Sprundel.
Vapier please advise.
the code in question was removed in shadow-4.0.14 ChangeLog: 2005-10-12 Tomasz K
the code in question was removed in shadow-4.0.14 ChangeLog: 2005-10-12 Tomasz K³oczko <kloczek@pld.org.pl> * src/passwd.c, NEWS, man/passwd.1, man/passwd.1.xml: remove handle -f, -g and -s options in passwd. NEWS: shadow-4.0.13 -> shadow-4.0.14 03-01-2006 *** general: - passwd: remove handle -f, -g and -s options.
*** Bug 144868 has been marked as a duplicate of this bug. ***
