COMMAND

    passwd

SYSTEMS AFFECTED

    RedHat 6.0

PROBLEM

    Prince Ctrl  found following.   When administering  a Red  Hat 6.0
    server and locking users with the 'passwd -l <user>' command,  and
    then  unlocking  a  user  with  the  'passwd -u <user>' command, a
    control  character  is  added  to  the  end  of a users' encrypted
    password in the form of a "^Q" in the shadowed passwd file.

    In tests, this only occurs once the user has been "unlocked".   It
    happens whether you are  using MD5 encryption or  DES...it doesn't
    matter.

SOLUTION

    RedHat was contacted and they  confirmed that it was indeed  a bug
    within 'passwd'. You  can download the  new version of  passwd and
    it will fix this problem:

	http://people.redhat.com/~smooge/passwd-0.60-1.i386.rpm

    The link above is a  redirect to www.redhat.com.  Since  there was
    no patch posted, here it comes below.

    --- pwdb.c.orig Mon Aug 23 20:07:39 1999
    +++ pwdb.c      Mon Aug 23 20:28:59 1999
    @@ -69,7 +69,7 @@
	 const struct pwdb *_pwdb = NULL;
	 const struct pwdb_entry *_pwe = NULL;
	 char *new_pass, *t;
    -    int retval, flags;
    +    int retval, flags, new_len;

	 retval = pwdb_start();
	 if (retval != PWDB_SUCCESS)
    @@ -84,7 +84,7 @@
	    return -1;
	 }

    -    new_pass = alloca(_pwe->length+1);
    +    new_pass = alloca(_pwe->length+3);
	 t = (char *)_pwe->value;
	 if (*t == '!') {
	    /* already locked... */
    @@ -94,12 +94,13 @@
	  * Avoid creating single char '!' crypted passwords that could
	  * be interpreted  as shadow or some other crap
	  */
    +    new_len = _pwe->length + 2;
	 if (_pwe->length < 3) {
    -       snprintf(new_pass, _pwe->length+5, "!!%s", t);
    +       snprintf(new_pass, new_len++, "!!%s", t);
	 } else {
    -       snprintf(new_pass, _pwe->length+5, "!%s", t);
    +       snprintf(new_pass, new_len, "!%s", t);
	 }
    -    retval = pwdb_set_entry(_pwdb, "passwd", new_pass, strlen(new_pass)+1,
    +    retval = pwdb_set_entry(_pwdb, "passwd", new_pass, new_len,
				NULL, NULL, 0);
	 CHECK_ERROR(retval);

    @@ -174,7 +175,7 @@
	    _pwe->length--;
	 }
	 retval = pwdb_set_entry(_pwdb, "passwd", t,
    -                           _pwe->length-1, NULL, NULL, 0);
    +                           _pwe->length, NULL, NULL, 0);
	 CHECK_ERROR(retval);

	 retval = pwdb_entry_delete(&_pwe);

    Fix is intended for our group only...