bug#17532: read all responses; va down, can't check bug status

To: debian-policy@lists.debian.org
Cc: 17532@bugs.debian.org
Subject: bug#17532: read all responses; va down, can't check bug status
From: Jim <jim@laney.edu>
Date: Sat, 18 Apr 1998 02:52:57 -0700
Message-id: <[🔎] 199804180952.CAA01814@earth.laney.edu>

Hi...

I had been talking to Guy on irc a coupla times, and he let me know he'd work 
on the bug. It's been a few days, and today I tried to check the current 
status but it seems www.debian.org is down. Checking another mirror revealed a 
bug archive that was aproximately 60-70 days old, so couldn't check to see if 
Guy closed this bug on that archive. Could someone check on the latest known 
archive? The last thing that I knew of, was bcwhite changed the status of the 
bug from "critical" to "normal" without making changes to the package itself 
to affect a corresponding change in functionality or notifying me, even 
automatically (I added a polite request to be so notified in the bug report; 
judging by the lack of any response, I'm not sure the report was even read or 
checked to determine if, in fact, the bug does exist before making this 
change.)

If the critical-to-normal change is the last thing to have happened, I am 
asking permission to upgrade the severity to grave; I am asking also that the 
bug be listed as a security bug for some of the following reasons:

Let me make sure I understand the situation: If this bug can prevent all 
logins and is caused by a buffer overrun situation in login which causes same 
to segfault, this is a security bug. True? If there are more buffer overrun 
potentialities in the shadow password suite, presently used by debian to 
authenticate users, then these too are security bugs waiting to be located. 
True?

Our particular situation:

As it happens, the group file is used to place students in groups named by 
classes. If it doesn't work, this particular bug will wholly corrupt the group 
database at or near the point when the group line length reaches the 
critical-mass point of 1024 chars; this can affect a student's grade. 
Admittedly, there is nothing I saw in policy to cover such a situation, 
however I see nothing at all wrong with saying that this adds support to the 
claim that this is a bug involving security issues, and whether as such or 
not, is a situation which can at best be described as grave.

To Guy Maor:

Please let me know if I can help by testing new patches. We now have a machine 
which is being used to experiment with the unstable side of debian. At the 
moment, it is also a local mirror for frozen, and as such is tracking it. I'd 
be quite happy to test what you have or even to do some coding as time 
permits. I am well aware that you inherited some of the 1024-byte situation; 
parts of it have existed since well before 0.93, and maybe even before debian 
existed at all.

-Jim



--
To UNSUBSCRIBE, email to debian-policy-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Prev by Date: Re: changelog vs ChangeLog and policy dictates
Next by Date: RFC: Emacs add-on packages and make.
Previous by thread: Re: Documentation as Software (was Re: PerlDL license)
Next by thread: RFC: Emacs add-on packages and make.
Index(es):
- Date
- Thread