Dear SRMs,
(paraphrased from my mail to security team):
Versions of adtool prior to 1.3.2 are vulnerable to leaking password
information for foreign accounts on the proc title if given as arguments
to the program. I came across this by chance in a year-old bug on
Launchpad [1], and the suggested patch has been integrated upstream in
unstable with slight modification [2].
It's not serious enough to warrant a security update, but Thijs
suggested getting it into Lenny in the upcoming point release if it's
not too late already. The patch is trivial.
However, between the versions in stable and testing I adopted adtool, so
my question is:
1. would you like an upload, or is it too late?
2. if so, is a maintainer change acceptable in the same upload?
3. as a DM only, can you accept an upload directly or will I need
sponsorship?
[1] https://bugs.launchpad.net/ubuntu/+source/adtool/+bug/209315
[2] Patch for src/tools/adtool.c:
@@ -159,3 +159,4 @@ void setpass(char **argv) {
} else {
- password=argv[1];
+ password=strdup(argv[1]);
+ memset(argv[1], 0, strlen(argv[1]));
}
@@ -168,2 +169,3 @@ void setpass(char **argv) {
result=ad_setpass(*dn, password);
+ free(password);
if(result!=AD_SUCCESS) {
@@ -652,2 +654,3 @@ int main(int argc, char **argv) {
bindpw=strdup(optarg);
+ memset(optarg, 0, strlen(optarg));
break;
TIA,
--
Jonathan Wiltshire
PGP/GPG: 0xDB800B52 / 4216 F01F DCA9 21AC F3D3 A903 CA6B EA3E DB80 0B52
Attachment:
signature.asc
Description: Digital signature