Bug#689562: utempter: Allows fake host setting

To: 689562@bugs.debian.org
Subject: Bug#689562: utempter: Allows fake host setting
From: paul.szabo@sydney.edu.au
Date: Thu, 4 Oct 2012 21:56:45 +1000
Message-id: <201210041156.q94BujhE014839@bari.maths.usyd.edu.au>
Reply-to: paul.szabo@sydney.edu.au, 689562@bugs.debian.org
In-reply-to: <handler.689562.B.134931646610444.ack@bugs.debian.org>

Searching for previous references for this issue, I found:

https://github.com/keithw/mosh/pull/219
  To top it all off: I actually believe libutempter to be a security
  /bug/ by its very design, as it allows untrusted code to spoof
  hostnames into utmp ...

so may have been a "known issue". (Only reference I found, so far.)

Should this broken behaviour be documented, maybe?

Are there any utilities that depend on a correct utmp?
If not, why do we bother updating it?

Cheers, Paul

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

Reply to:

Prev by Date: Bug#689564: konqueror consumes huges amount of memory and does not quit
Next by Date: Processed: [bts-link] source package kdemultimedia
Previous by thread: Bug#689564: konqueror consumes huges amount of memory and does not quit
Next by thread: Bug#689562: utempter: Allows fake host setting
Index(es):
- Date
- Thread