[Pkg-shadow-devel] Bug#1103832: Bug#1103832: Bug#1103832: shadow: CVE-2024-56433
Serge Hallyn
serge at hallyn.com
Sun Jun 14 21:19:32 BST 2026
Jun 14, 2026 08:21:17 Salvatore Bonaccorso <carnil at debian.org>:
> Hi Chris,
>
> On Fri, Jun 12, 2026 at 02:19:20PM +0200, Chris Hofstaedtler wrote:
>> On Wed, Apr 30, 2025 at 06:02:52PM +0200, Salvatore Bonaccorso wrote:
>>> Hi,
>>>
>>> On Fri, Apr 25, 2025 at 03:10:10PM +0000, Moritz Mühlenhoff wrote:
>>>> On Wed, Apr 23, 2025 at 05:04:22PM -0500, Serge E. Hallyn wrote:
>>>>> On Tue, Apr 22, 2025 at 09:46:14PM +0200, Chris Hofstaedtler wrote:
>>>>>> …
>>>>>
>>>>> Maybe debian changelog?
>>>>
>>>> Or maybe simply add a note in the existing README.Debian?
>>>
>>> In my opinion if it can be added to upstream documentation that would
>>> be ideal, but agree that for Debian purposes otherwise we can add a
>>> note on the problem to the README.Debian (or both in the end).
>>>
>>> Chris, what do you think with you maintainer hat on here?
>>
>> I was hoping there would be some upstream activity on this.
>> Unfortunately https://github.com/shadow-maint/shadow/issues/1157
>> seems completely stalled.
>>
>> Not sure it makes sense to keep tracking this.
>
> I asked in
> https://github.com/shadow-maint/shadow/issues/1157#issuecomment-4701723167
> . I would say if there is no plan to otherwise handle it upstream with
> a documentation update then it might be still worth as Moritz suggested
> to a Debian specific README.Debian and be done with it.
>
> Regards,
> Salvatore
I'm open to a note in the subid manpages.
IMO in a zero trust architecture and with the ability to uid shift vfsmounts this is mostly a lazy regulator problem, but as I have seen the same issue in my workplace, i am sympathetic and have no issues with a balanced, brief discussion of the issue and ramifications there. Subuid manpage seems the best place, but I'm open to other suggestions.
-serge
More information about the Pkg-shadow-devel
mailing list