VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 31, 2003· Updated Jun 16, 2026

CVE-2003-1366

CVE-2003-1366

Description

chpass in OpenBSD 2.0 through 3.2 allows local users to read portions of arbitrary files via a hard link attack on a temporary file used to store user database information.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

14
  • OpenBSD/OpenBSD14 versions
    cpe:2.3:o:openbsd:openbsd:2.0:*:*:*:*:*:*:*+ 13 more
    • cpe:2.3:o:openbsd:openbsd:2.0:*:*:*:*:*:*:*
    • cpe:2.3:o:openbsd:openbsd:2.1:*:*:*:*:*:*:*
    • cpe:2.3:o:openbsd:openbsd:2.2:*:*:*:*:*:*:*
    • cpe:2.3:o:openbsd:openbsd:2.3:*:*:*:*:*:*:*
    • cpe:2.3:o:openbsd:openbsd:2.4:*:*:*:*:*:*:*
    • cpe:2.3:o:openbsd:openbsd:2.5:*:*:*:*:*:*:*
    • cpe:2.3:o:openbsd:openbsd:2.6:*:*:*:*:*:*:*
    • cpe:2.3:o:openbsd:openbsd:2.7:*:*:*:*:*:*:*
    • cpe:2.3:o:openbsd:openbsd:2.8:*:*:*:*:*:*:*
    • cpe:2.3:o:openbsd:openbsd:2.9:*:*:*:*:*:*:*
    • cpe:2.3:o:openbsd:openbsd:3.0:*:*:*:*:*:*:*
    • cpe:2.3:o:openbsd:openbsd:3.1:*:*:*:*:*:*:*
    • cpe:2.3:o:openbsd:openbsd:3.2:*:*:*:*:*:*:*
    • (no CPE)range: 2.0 through 3.2

Patches

Vulnerability mechanics

Root cause

"Missing link-count validation on the temporary file allows a hard-link substitution attack that causes chpass to read and leak contents of an arbitrary file."

Attack vector

A local attacker runs `chpass`, suspends the editor (^Z), removes the temporary file, and replaces it with a hard link to an arbitrary file (e.g., a root-owned file). When the editor is quit without saving, `chpass` re-opens the file with root privileges and parses it. If a line begins with `shell:` and contains only printable characters (no `:` or space), the remainder of that line is printed in an error message, leaking the file's content [ref_id=1]. The attack requires the target file to contain a line matching this specific format, which limits practical exploitability.

Affected code

The vulnerability resides in `edit.c` of the OpenBSD `chpass` (also `chfn` and `chsh`) utility. The function that reads the temporary file after the editor exits did not verify that the file's link count is one, allowing a hard-link substitution attack.

What the fix does

The patch in `edit.c` adds `O_NOFOLLOW` to the `open()` call and checks `sb.st_nlink != 1` after `fstat()` [ref_id=1]. `O_NOFOLLOW` prevents following symbolic links, and the link-count check ensures the temporary file has not been replaced by a hard link to another file. If either condition fails, the file is treated as corrupted and processing is aborted.

Preconditions

  • authThe attacker must have a local user account on the system.
  • inputThe target file must contain a line matching the format `shell: <printable_chars>` (no ':' or space after 'shell:').
  • inputThe attacker must be able to suspend the editor and replace the temporary file with a hard link before resuming.

Generated on Jun 16, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.