@@ -1,5 +1,7 @@

+  * In client, copy results from getpw* when necessary.  This fixes what
+    could be a security problem on some platforms.

diff --git a/client.c b/client.c
index f7bc9a4928965e4a90d984194e8e4878e6097d54..3d70f2bcb6a01cc8b09d50722e5212032fb1d3a4 100644 (file)
--- a/client.c
+++ b/client.c
@@ -858,7 +858,7 @@ static void determine_users(void) {
   }
   if (!loginname) {
     pw= getpwuid(myuid); if (!pw) miscerror("cannot determine your login name");
-    loginname= pw->pw_name;
+    loginname= xstrsave(pw->pw_name);
   }
 
   if (!strcmp(serviceuser,"-")) serviceuser= loginname;

diff --git a/debian/changelog b/debian/changelog
index e79e2223fd56ecaf9edc07e1d220ce0ae2b8dc23..941bb4d97f002e381495920771ed34312d84902e 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,7 @@
 userv (0.65.2) unstable; urgency=high
 
+  * In client, copy results from getpw* when necessary.  This fixes what
+    could be a security problem on some platforms.
   * Avoid accessing backup, auto-save files, etc, with include-lookup.
     Everything except a-z 0-9 - _ must now be prefixed by a colon.
   * Allow \ to continue lines (and do sensible things with whitespace in