[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Accepted libpam-ldap 144-1 (i386 source)

On Sun, May 12, 2002 at 01:00:52PM +0200, Wichert Akkerman wrote:
> Previously Sami Haahtinen wrote:
> > Changes: 
> >  libpam-ldap (144-1) unstable; urgency=low
> >    * Upstream fix for a security related bug which involves a Format String
> >      problems. The propability for this bug to affect the security on a
> >      normally configured system is so small that i won't squeeze this in to
> >      woody at all. (first affected version was 40)
> I disagree, how probably a security problem is should not matter at all.
> Can you describe the exact problem?

The problem can occur if one uses something like config=foo%s%n in the
configuration. This situation can occur only if someone is able to
modify your pam configuration, in which case you already have a big
problem. (as the user can obtain root privileges without exploiting the

For more information, see the upstream notes:

Regards, Sami Haahtinen

			  -< Sami Haahtinen >-
      -[ Is it still a bug, if we have learned to live with it? ]-
	-< 2209 3C53 D0FB 041C F7B1  F908 A9B6 F730 B83D 761C >-

Attachment: pgphl6eZTPB9x.pgp
Description: PGP signature

Reply to: