[Pkg-shadow-devel] Bug#1103832: Bug#1103832: Bug#1103832: shadow: CVE-2024-56433
Salvatore Bonaccorso
carnil at debian.org
Wed Apr 23 07:23:09 BST 2025
Hi Chris, hi Serge,
On Tue, Apr 22, 2025 at 09:46:14PM +0200, Chris Hofstaedtler wrote:
> * Serge E. Hallyn <serge at hallyn.com> [250422 15:48]:
> > On Mon, Apr 21, 2025 at 08:08:50PM +0200, Salvatore Bonaccorso wrote:
> > > Thought this will not really be fixable in code, it depends on how
> > > uids were assigned in within a group of systems form system
> > > administrators. Let's link downstream bugreport and upstream and maybe
> > > they come up with a documentation update reflecting the issue?
> > >
> > > For further information see:
> > >
> > > [0] https://security-tracker.debian.org/tracker/CVE-2024-56433
> > > https://www.cve.org/CVERecord?id=CVE-2024-56433
> > > [1] https://github.com/shadow-maint/shadow/issues/1157
> >
> > There is no id range that couldn't possibly conflict with some
> > site's network ids. The only default safe for that concern is
> > to not automatically enable any subids.
>
> Indeed. The question really is: what are we gonna do?
>
> Should there be some form of documentation update, like a README?
>
> What else would be "sufficient" to close this topic?
Sorry I seem to not have been clear when filling the bugreport. Yes I
do understand the problem, and was pursuading/checking if it might be
worth/sufficient having it documented in upstream. Or what else we
should do.
Hope I explained now in a more sensible way. Thanks Chris.
Regards,
Salvatore
More information about the Pkg-shadow-devel
mailing list