Bug#276419: [Pkg-shadow-devel] Bug#276419: Overflated severity?

[Christian Perrier]

tags 276419 fixed-upstream
thanks

> Agreed. Since there is a very simple fix (escape of arguments, which
> people used to shell programming should be able to achieve), a normal (=
or
> even minor) severity could be used.

Let's see if the submitter has some input.

PS to people in the pkg-shadow-devel list=A0: when answering to threads
which come from the BTS (mails sent to nnnnnn@bugs.debian.org), please
use the bug address and NOT the mailing list address.

When answering to the list, only the list members will see the
discussion. Answering to the bug number will archive the discussion in
the bug log. In both cases, you'll receive the answer as the
maintainer address for the package is....the mailing list..:-)

Also, in cases where the bug submitter was CC'ed (such as here where
we want his/her input), please keep him/her CC'ed. Remember that mails
sent to a given bug in Debian BTS do NOT go to the bug submitter.

> > Also, I already had a look at this bug some time ago
> > (half a year?). As far as I remember, the bug is fixed
> > in upstream -- need to re-check.
>=20
> Upstream's code for run_shell is very different (lots of PAM stuff) and
> use the arguments the same way as my patch.
>=20
> I also tested it to make sure, and (with the exception that --shell is =
not
> supported), it works.
>=20
> If anybody change the severity, it could also be tagged fixed-upstream


Done (feel free to do so in such cases...we are ALL maintainers of the
package)

>=20
>=20
> BTW, do you think the options supported by the Debian's su will be need=
ed
> after Sarge (currently it support --command, --preserve-environment and
> --shell, but IMHO upstream's su has no option).


Well, this will be part of the game "what to do with Debian specific
patches". Let's first finish the bug triage.