COMMAND

    yppasswdd(8)

SYSTEMS AFFECTED

    Systems running yppasswdd(8) versions up to and including 0.6.

PROBLEM

    Under certain  circumstances, this  hole lets  users with  a valid
    account on your machine gain access to other accounts.

    Note that this vulnerability affects _only_ machines who use

    The  NIS   password  maps   manage  those   password  maps    with
    rpc.yppasswdd.

    The  bug  was   stupid  and  simple;   it  forgot  to   check  the
    user-supplied password for colons. This allows people to submit  a
    password update with a password like this:

    :0:0:Big Boss:/:/tmp/foo

    This will turn their password entry into something like this:

    joe.user::0:0:Big Boss:/:/tmp/foo:Joe Random User:/home/joe:/bin/bash

    All they now have to do is to copy their favorite shell to

    /tmp/foo:Joe Random User:/home/joe:/bin/bash

    Note that all of these are valid filename characters.

    There was a  second oversight, which  may not be  as bad, but  may
    cause problems nevertheless: Users were able to set passwords  for
    NIS  entries  like  +janet  or  -joe  if  they  were passwordless.
    Usually, entries like these should not  occur in the NIS  server's
    password file,   and   I   do   not   believe   they  are acutally
    checked by any program. The new version checks for them anyway.

SOLUTION

    To  plug  this  hole,  you  should  obtain  and install the latest
    version. I have uploaded yppasswd-0.7 to the following places:

    ftp.lysator.liu.se:/pub/NYS/incoming  (to be moved)
    ftp.mathematik.th-darmstadt.de:/pub/linux/okir
    linux.nrao.edu:/pub/people/okir

    The MD5 signature is:

    d22e0061f80f9c28d4b12eeff42e79be  yppasswd-0.7.tar.gz