Re: Yikes, sorry. (Was Re: make-kpkg)

[Jim <jim@laney.edu>]

Lorens Kockum said something to the effect of:
"Why get asked at all whether to run shadow passwds?"

There are multiple buffer overrun bugs in the shadow 
passwd suite as used by debian. The bugs seem to take
different forms in hamm than they do in bo; I'm not sure
why. I reported this as a critical bug in login (to the
effect that if lines in /etc/group are too long, NO ONE
LOGS IN), but the only reply I have received to date is
the automatic reply from the debian bugs robot.

It is my opinion that the shadow passwd suite needs to be
thoroughly and completely shaken down.

It's my understanding:
 -that any bug that would prevent anyone logging in, is
  critical; if I'm wrong on this, let me know, and I'll 
  reset the bug severity to something less than this. 
  Note, however, that such a bug has security implications
  as well, especially in the presence of buffer overrun
  problems. The silence after posting the bug makes me 
  suspect this is maybe the case, or that the shadow 
  passwd suite is orphaned. Could someone please let me 
  know either way?

 -that if a bug which is critical is not resolved, new
  versions of debian will not be released.

-Jim


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .