aja@nlgroup.ca wrote:
Full_Name: Arthur Anhalt Version: 2.4.12 OS: Ubuntu 8.04 URL: Submission from: (NULL) (205.200.169.138)
When parsing password change extended operations, servers/slapd/passwd.c:slap_passwd_parse() calls ber_get_stringbv() with LBER_BV_NOTERM set. The resulting bv_val doesn't end with a \0.
In libraries/liblutil/passwd.c:chk_crypt will return an error is the old and new passwords do not end with a null terminator. I believe more of the chk_* functions return the same error.
This is the same bug as ITS#5575, but affects the core system, not contributed code.
Fixed in HEAD, thanks.