[Pkg-shadow-devel] Re: Security fix for shadow in sarge
nicolas.francois at centraliens.net
Fri Jun 30 18:26:05 UTC 2006
On Fri, Jun 30, 2006 at 07:57:00PM +0200, Moritz Muehlenhoff wrote:
> Meanwhile another shadow issue popped up: CVE-2006-1174 (missing args passed
> to open(), so that random memory might be used instead). It's of very low
> impact, but could you check, whether Sarge is affected?
Sarge is not affected.
The bug mentionned in this NEWS entry was in create_mail(), which was
introduced after 4.0.3
The only calls to open() in Sarge's useradd are for the faillog and
lastlog files and do not use the O_CREAT flag.
More information about the Pkg-shadow-devel