Re: patch to login, dmesg and obscure

> > > I've discovered some bugs in the BusyBox unstable branch and since 
> > > it doesn't seem to fixed in the 1.0.0-pre1 release I created a 
> > > patch with my changes. Description below:
>
> > * libbb/obscure.c:password_check()
> > There was a buffer overflow bug which cased passwd command to 
> > segfault when invoked by any other than the superuser.
>
>
> This moment have algoritmicaly problem, not overflow:
> strcat(wrapped, wrapped) - may be looped.
>
> Hand patch:
>
> - else if (strstr(strcat(wrapped, wrapped), newmono))
> + else {
> +    safe_strncpy(wrapped + lenwrap, wrapped, lenwrap + 1);
> +    if (strstr(wrapped, newmono))
> +}

I'm seeing the passwd seg fault using busybox 1.0.0-pre1 on an ARM 
(Rio receiver), although I can't address the 'when invoked by any 
other than the superuser' because there are no users defined on my 
system yet. I'm following this thread, but it is a bit unclear 
because of some opposing discussion. Will applying the patch given 
above fix the seg fault?


Stefan Jeglinski