My friend a long time ago found a hole in BSD chfn/chsh/chpass vulnerable in all versions FreeBSD 2.x - 4.0. I don't find any possibility how this exploit. I think, readers of this mailing list will appreciate this.

When you run chfn (chfn/chsh/chpass is the same binary on FreeBSD), temporary file in /etc/pw.???? will touch, external editor will be execute (env.variable $EDITOR) with uid of user running chfn. Edit your parameters, delete all characters on the last line in the editor (Other information: entry). After this,
chfn will crash. No core dumped.

I have no time for better analysis. But, problem is in edit.c (function verify ()). Program crash at line 238:

        /* Build the gecos field. */  
        len = strlen(list[E_NAME].save) + strlen(list[E_BPHONE].save) +
            strlen(list[E_HPHONE].save) + strlen(list[E_LOCATE].save) +
            strlen(list[E_OTHER].save) + 4;
        if (!(p = malloc(len)))
                err(1, NULL);
        (void)sprintf(pw->pw_gecos = p, "%s,%s,%s,%s,%s", list[E_NAME].save,
            list[E_LOCATE].save, list[E_BPHONE].save, list[E_HPHONE].save,
            list[E_OTHER].save);

Entry list[E_OTHER].save will be set to NULL and strlen (NULL) will crash.
I try to overflow pw->gecos variable, but no sucess, because size of each entry could be MAX_LEN (2048 bytes). I think, it could be the same problem as in cfingerd 1.4.0 gecos overflow.
When temporary file /etc/pw.????? with uid of user is created and chpass crash, there is no possibility how to delete/create/rename this temporary file from /etc (no o+w access on /etc), but you can edit content of this file.
Could be this exploitable? :)
--
Answer: This hole has no serious security implication.