Re: [linux-alert] Serious Security hole in getpwnam ()
On Wed, 29 May 1996, Bruce Perens wrote:
> I submit that the attached fix is insufficient and that
> passwd entries that do not contain UID and GID numbers should not be
> returned by the various password library functions.
From: Guy Maor <maor@ece.utexas.edu>
> I patched passwd to preserve the '+::::::' line. It currently writes
> it back out as '+::0:0:::'. Mike vS. said that wouldn't be a problem,
> but it might affect this?
I bet that passwd wants to read and re-write that "+::::::" with the
password functions, so you can't have them reject it on formatting grounds.
However, login and su should reject poorly-formatted passwd entries.
> Regarding Incoming, I'm running the dinstall script now.
Wonderful!
> About 1/3 of the uploads are being rejected, mostly for silly reasons.
> I'm just installing those by hand.
I have seen some seriously bogus dchanges formats on the mailing lists
in the last few days. I think for a start everyone should be sure to be
using your latest version of dchanges.
> I'll write a 'How to Upload' document and post it here and in
> doc/package-developer this evening. After that, I won't install
> any files whose .changes file doesn't pass muster.
OK, thanks.
Bruce
--
Pixar's Toy Story: Over 1/3 Billion dollars world box office so far.
Bruce Perens AB6YM Bruce@Pixar.com http://www.hams.com/
Reply to: