Dear SRMs, (paraphrased from my mail to security team): Versions of adtool prior to 1.3.2 are vulnerable to leaking password information for foreign accounts on the proc title if given as arguments to the program. I came across this by chance in a year-old bug on Launchpad [1], and the suggested patch has been integrated upstream in unstable with slight modification [2]. It's not serious enough to warrant a security update, but Thijs suggested getting it into Lenny in the upcoming point release if it's not too late already. The patch is trivial. However, between the versions in stable and testing I adopted adtool, so my question is: 1. would you like an upload, or is it too late? 2. if so, is a maintainer change acceptable in the same upload? 3. as a DM only, can you accept an upload directly or will I need sponsorship? [1] https://bugs.launchpad.net/ubuntu/+source/adtool/+bug/209315 [2] Patch for src/tools/adtool.c: @@ -159,3 +159,4 @@ void setpass(char **argv) { } else { - password=argv[1]; + password=strdup(argv[1]); + memset(argv[1], 0, strlen(argv[1])); } @@ -168,2 +169,3 @@ void setpass(char **argv) { result=ad_setpass(*dn, password); + free(password); if(result!=AD_SUCCESS) { @@ -652,2 +654,3 @@ int main(int argc, char **argv) { bindpw=strdup(optarg); + memset(optarg, 0, strlen(optarg)); break; TIA, -- Jonathan Wiltshire PGP/GPG: 0xDB800B52 / 4216 F01F DCA9 21AC F3D3 A903 CA6B EA3E DB80 0B52
Attachment:
signature.asc
Description: Digital signature