Hello All, In reviewing some code in file 'bsd-cray.c', I found a possible issue where data in the following code may not be properly scrubbed in the case IA_BACKDOOR in function 'cray_setup', which is below: case IA_BACKDOOR: /* XXX: can we memset it to zero here so save some of this */ strlcpy(ue.ue_name, "root", sizeof(ue.ue_name)); strlcpy(ue.ue_dir, "/", sizeof(ue.ue_dir)); strlcpy(ue.ue_shell, "/bin/sh", sizeof(ue.ue_shell)); ue.ue_passwd[0] = '\0'; ue.ue_age[0] = '\0'; ue.ue_comment[0] = '\0'; ue.ue_loghost[0] = '\0'; ue.ue_logline[0] = '\0'; ue.ue_uid = -1; ue.ue_nice[UDBRC_INTER] = 0; where ue.ue_passwd[0] is set to NUL, there exists the potential that any data beyond ue.ue_passwd[0] is still accessible in memory as the following test program below demonstrates: #include <stdio.h> int main(void) { unsigned int n, l; char ue[50] = "ABCDEFGHIJKLMNPOQRSTUVWXYZ0123456789"; ue[0] = '\0'; /* set this to NULL */ printf("Contents of char ue[0] is: %s\n", ue); printf("Contents of char ue[1-36] is:"); for (n = 1; n < 36; n++) printf("%c", ue[n]); printf("\n"); return 0; } [bill@moocow ~]$ ./a.out Contents of char ue[0] is: Contents of char ue[1-36] is:BCDEFGHIJKLMNPOQRSTUVWXYZ0123456789 As you can see, data beyond ue[0] is still accessible, should the code not be changed to use memset() to scrub any sensitive information still stored in various arrays in IA_BACKDOOR (and perhaps other areas of code in bsd-cray.c, etc)? Bill Parker (wp02855 at gmail dot com) _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev