Up to [local] / src / usr.bin / su
Request diff between arbitrary revisions
Default branch: MAIN
Current tag: OPENBSD_6_6
Revision 1.77.2.2 / (download) - annotate - [select for diffs], Mon Dec 9 04:50:42 2019 UTC (4 years, 6 months ago) by tb
Branch: OPENBSD_6_6
Changes since 1.77.2.1: +7 -5 lines
Diff to previous 1.77.2.1 (colored) to branchpoint 1.77 (colored) next main 1.78 (colored)
In -L (loop) mode, reset the login class each time through the loop. Otherwise, it is possible to log in with another user's login class. Fixes CVE-2019-19519. OK deraadt@ markus@ OpenBSD 6.6 errata 012
Revision 1.77.2.1 / (download) - annotate - [select for diffs], Wed Dec 4 09:52:22 2019 UTC (4 years, 6 months ago) by deraadt
Branch: OPENBSD_6_6
Changes since 1.77: +7 -5 lines
Diff to previous 1.77 (colored)
This is 6.6/010_libcauth.patch.sig libc's authentication privsep layer performed insufficient username validation. Repair work mostly by markus and millert, first of all solving the primary problem, then adding some additional validation points. And then futher validation in login and su. Reported by Qualys
Revision 1.77 / (download) - annotate - [select for diffs], Sat Sep 14 17:47:01 2019 UTC (4 years, 8 months ago) by semarie
Branch: MAIN
CVS Tags: OPENBSD_6_6_BASE
Branch point for: OPENBSD_6_6
Changes since 1.76: +3 -1 lines
Diff to previous 1.76 (colored)
correct some unveil(2) violations due to "login.conf.db" access (the .db version of "login.conf"), and stat(2) on _PATH_MASTERPASSWD_LOCK (via pw_mkdb(3)). problem initially noted by myself for passwd(1) millert@ reported similar problem on chpass(1), su(1), doas(1) and encrypt(1) mestre@ noted chpass(1) too ok mestre@ millert@