On Sun, May 12, 2002 at 01:00:52PM +0200, Wichert Akkerman wrote: > Previously Sami Haahtinen wrote: > > Changes: > > libpam-ldap (144-1) unstable; urgency=low > > * Upstream fix for a security related bug which involves a Format String > > problems. The propability for this bug to affect the security on a > > normally configured system is so small that i won't squeeze this in to > > woody at all. (first affected version was 40) > > I disagree, how probably a security problem is should not matter at all. > Can you describe the exact problem? The problem can occur if one uses something like config=foo%s%n in the configuration. This situation can occur only if someone is able to modify your pam configuration, in which case you already have a big problem. (as the user can obtain root privileges without exploiting the hole) For more information, see the upstream notes: http://www.padl.com/Articles/LocalFormatStringVulnerab.html Regards, Sami Haahtinen -- -< Sami Haahtinen >- -[ Is it still a bug, if we have learned to live with it? ]- -< 2209 3C53 D0FB 041C F7B1 F908 A9B6 F730 B83D 761C >-
Attachment:
pgphl6eZTPB9x.pgp
Description: PGP signature