fedora 23
misc weakness #246


Weakness Breakdown


The software specifies permissions for a security-critical resource in a way that allows the resource to be read or modified by unintended actors.

Warning code(s):

This function is obsolete and not portable. It was in SUSv2 but removed by POSIX.2. What it does exactly varies considerably between systems, particularly in where its prompt is displayed and where it gets its data.

File Name:



The highlighted line of code below is the trigger point of this particular Fedora 23 misc weakness.

  * Use the OS getpass() routine (or our own) to obtain a password from
 * the input stream.
 * Exit values:
 *  0: Success
 *  5: Partial success; entered text truncated to the size of the
 *     destination buffer
 * Restrictions: Truncation also occurs according to the host system's
 * getpass() semantics, or at position 255 if our own version is used,
 * but the caller is *not* made aware of it unless their own buffer is
 * smaller than our own.

APR_DECLARE(apr_status_t) apr_password_get(const char *prompt, char *pwbuf, apr_size_t *bufsiz)
    apr_status_t rv = APR_SUCCESS;
#if defined(HAVE_GETPASS_R)
    if (getpass_r(prompt, pwbuf, *bufsiz) == NULL)
        return APR_EINVAL;
    char *pw_got = getpassphrase(prompt);
#elif defined(HAVE_GETPASS)
    char *pw_got = getpass(prompt);
#else /* use the replacement implementation above */
    char *pw_got = get_password(prompt);

    if (!pw_got)
        return APR_EINVAL;
    if (strlen(pw_got) >= *bufsiz) {
        rv = APR_ENAMETOOLONG;
    apr_cpystrn(pwbuf, pw_got, *bufsiz);
    memset(pw_got, 0, strlen(pw_got));
#endif /* HAVE_GETPASS_R */
    return rv;

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.