Up to [local] / src / usr.bin / su
Request diff between arbitrary revisions
Default branch: MAIN
Current tag: OPENBSD_6_5
Revision 1.73.2.2 / (download) - annotate - [select for diffs], Mon Dec 9 04:51:48 2019 UTC (4 years, 6 months ago) by tb
Branch: OPENBSD_6_5
Changes since 1.73.2.1: +7 -5 lines
Diff to previous 1.73.2.1 (colored) to branchpoint 1.73 (colored) next main 1.74 (colored)
In -L (loop) mode, reset the login class each time through the loop. Otherwise, it is possible to log in with another user's login class. Fixes CVE-2019-19519. OK deraadt@ markus@ OpenBSD 6.5 errata 023
Revision 1.73.2.1 / (download) - annotate - [select for diffs], Wed Dec 4 09:51:49 2019 UTC (4 years, 6 months ago) by deraadt
Branch: OPENBSD_6_5
Changes since 1.73: +7 -5 lines
Diff to previous 1.73 (colored)
This is 6.5/021_libcauth.patch.sig libc's authentication privsep layer performed insufficient username validation. Repair work mostly by markus and millert, first of all solving the primary problem, then adding some additional validation points. And then futher validation in login and su. Reported by Qualys
Revision 1.73 / (download) - annotate - [select for diffs], Mon Jan 28 01:38:06 2019 UTC (5 years, 4 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_6_5_BASE
Branch point for: OPENBSD_6_5
Changes since 1.72: +3 -1 lines
Diff to previous 1.72 (colored)
ttyname() is used, therefore must unveil _PATH_DEVDB. from Anton Borowka