VesperOS/shadow
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,696 Commits 10 Branches 149 Tags
73e58adc6b80c7a83d92ec9cf95ffe98db87d367
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
frostb1te 73e58adc6b src/gpasswd.c: is_valid_user_list(): Fix invalid free(3) 
This fix addresses an issue in is_valid_user_list() where the free
operation was attempted on an address not allocated with malloc().  By
duplicating the pointer with xstrdup(users) into dup, and using dup as
the original pointer, we ensure that only the valid pointer is freed,
avoiding an invalid free operation.

This bug was introduced when changing some code that used strchrnul(3)
to use strsep(3) instead.  strsep(3) advances the pointer, unlike the
previous code.

This unconditionally leads to a bug:

-  Passing NULL to free(3), if the last field in the
   colon-separated-value list is non-empty.  This results in a memory
   leak.

-  Passing a pointer to the null byte ('\0') that terminates the string,
   if the last element of the colon-separated-value list is empty.  The
   most obvious reproducer of such a bogus free(3) call is:

       free(strdup("foo:") + 4);

   This results in Undefined Behavior, and could result in allocator
   data corruption.

Fixes: 16cb664865 (2024-07-01, "lib/, src/: Use strsep(3) instead of its pattern")
Suggested-by: <https://github.com/frostb1ten>
Reported-by: <https://github.com/frostb1ten>
Reviewed-by: Serge Hallyn <serge@hallyn.com>
Reviewed-by: Alejandro Colomar <alx@kernel.org>
Cc: Iker Pedrosa <ipedrosa@redhat.com>
Cc: Christian Brauner <christian@brauner.io>
2024-11-08 13:42:23 +01:00
.github
CI: fix handling of sources.list
2024-10-31 09:46:51 +01:00
contrib
contrib/adduser.c: main(): Use strcpy/cat(3) instead of their pattern
2024-07-03 10:03:12 -05:00
doc
doc/contributions/introduction.md: Fix typo in link
2024-10-17 17:09:26 +02:00
etc
etc/pam.d/Makefile.am: Fix typo
2024-02-13 18:45:04 +01:00
keys
Add keys/ directory with public keys for maintainers
2023-10-26 22:31:27 -05:00
lib
lib/fs/readlink/areadlink.h: areadlink(): Use PATH_MAX instead of a magic value
2024-11-01 21:25:50 -05:00
libsubid
lib/, libsubid/, po/, src/: get_gid(): Move function to "atoi/getnum.h"
2024-06-29 20:00:18 +02:00
man
man/shadow,man/gshadow: Fix grammar
2024-11-04 14:17:49 +01:00
po
po/es.po: wsfix
2024-08-22 22:51:57 -05:00
share
CI: fix fedora build problems
2024-10-31 09:52:54 -05:00
src
src/gpasswd.c: is_valid_user_list(): Fix invalid free(3)
2024-11-08 13:42:23 +01:00
tests
Remove references to cppw, cpgr
2024-08-12 10:08:45 +02:00
.editorconfig
Add .editorconfig
2023-03-02 16:33:06 -06:00
.gitignore
Makefile.am: clean some tempfiles
2024-03-23 16:39:07 -05:00
acinclude.m4
configure: replace obsolete autoconf macros
2022-05-10 09:55:18 +02:00
AUTHORS.md
AUTHORS.md: Format list
2024-02-06 16:16:32 +01:00
autogen.sh
autogen.sh: CFLAGS: Use -Wno-unknown-attributes; Clang doesn't know [[gnu::access()]]
2024-01-26 09:40:10 +01:00
ChangeLog
fix typos
2023-04-26 17:35:58 -05:00
configure.ac
Fix typos
2024-09-13 22:27:08 +02:00
COPYING
Update licensing info
2021-12-23 19:36:50 -06:00
Makefile.am
Makefile.am: avoid warning: EXTRA_DIST multiply defined
2024-07-18 09:21:57 -05:00
NEWS
fix typos
2023-04-26 17:35:58 -05:00
README
Add README as symlink to README.md
2021-12-19 14:09:08 -06:00
README.md
README.md, STABLE.md: record the stable branch URL(s).
2023-11-17 09:49:15 -06:00
SECURITY.md
SECURITY.md: add Iker Pedrosa
2023-03-20 10:54:45 -05:00
STABLE.md
STABLE.md: 4.15.x is now stable
2024-05-22 15:10:03 +02:00

README.md

shadow-utils

Introduction

The shadow-utils package includes the necessary programs for converting UNIX password files to the shadow password format, plus programs for managing user and group accounts. The pwconv command converts passwords to the shadow password format. The pwunconv command unconverts shadow passwords and generates a passwd file (a standard UNIX password file). The pwck command checks the integrity of password and shadow files. The lastlog command prints out the last login times for all users. The useradd, userdel, and usermod commands are used for managing user accounts. The groupadd, groupdel, and groupmod commands are used for managing group accounts.

Sites

Code

The main development branch is at https://github.com/shadow-maint/shadow.git

See STABLE.md for a list of supported stable branches.

Contacts

There are several ways to contact us:

Mailing archives

Contributions

Contributions are welcome. Follow the guidelines before posting any patches.

Authors and maintainers

Authors and maintainers are listed in AUTHORS.md.

Reference in New Issue View Git Blame Copy Permalink
Description
No description provided
Readme 47 MiB
Languages
Shell 50.2%
C 30.5%
Makefile 14.1%
M4 2.9%
Python 2.2%