Bug 598

Summary: Crashes in passwd plugin when account locked
Product: Sudo Reporter: Ross Burton <ross.burton>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: normal    
Priority: low    
Version: 1.8.6   
Hardware: PC   
OS: Linux   
Attachments: Potential fix

Description Ross Burton 2013-04-11 09:28:56 MDT 
sudo 1.8.6p7 crashes in libc.so when using eglibc 2.17 if the account is locked (i.e. the password in /etc/shadow is "!").

This appears to be because crypt() in 2.17 onwards expects the salt input to be valid and will return NULL if it isn't.  In this case the existing password ew_epasswd is just "!" and not $id$salt$encrypted, so it errors out.

sudo assumes that there isn't ever an error when calling crypt(), so happily passes NULL to strcmp, which predictably crashes.
Comment 1 Ross Burton 2013-04-11 09:30:39 MDT 
Created attachment 367 [details]
Potential fix

This looks like the right fix, but I'm obviously hesitant when dealing with something so security-critical as sudo!
Comment 2 Todd C. Miller 2013-04-11 11:25:26 MDT 
Thanks for the detailed bug report.  I've just released sudo 1.8.6p8 which fixes this.