[Pkg-shadow-devel] Re: Security fix for shadow in sarge

Nicolas François nicolas.francois at centraliens.net
Fri Jun 30 18:26:05 UTC 2006


On Fri, Jun 30, 2006 at 07:57:00PM +0200, Moritz Muehlenhoff wrote:
> Meanwhile another shadow issue popped up: CVE-2006-1174 (missing args passed
> to open(), so that random memory might be used instead). It's of very low
> impact, but could you check, whether Sarge is affected?
> http://cvs.pld.org.pl/shadow/NEWS?rev=1.109

Sarge is not affected.
The bug mentionned in this NEWS entry was in create_mail(), which was
introduced after 4.0.3

The only calls to open() in Sarge's useradd are for the faillog and
lastlog files and do not use the O_CREAT flag.

Kind Regards,

More information about the Pkg-shadow-devel mailing list