Package: libpam-cracklib Version: 0.76-22 Severity: critical Tags: security Justification: root security hole
The only non-commented lines in /etc/pam.d/common-password: password required pam_cracklib.so retry=3 minlen=6 difok=3 password required pam_unix.so use_authtok nullok md5 Example session of passwd program usage: [EMAIL PROTECTED]:~$ passwd Changing password for test (current) UNIX password: New UNIX password: (index fread failed): Success Segmentation fault I am no security expert but I feel that suid-root programs should not segfault. I would be happy if you prove that it is my fault and there is no root security hole here. Kind regards, Robert -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.11-4 Locale: LANG=sk_SK, LC_CTYPE=sk_SK (charmap=ISO-8859-2) Versions of packages libpam-cracklib depends on: ii cracklib-runtime 2.7-15 Runtime support for password check ii cracklib2 2.7-15 A pro-active password checker libr ii libc6 2.3.2.ds1-21 GNU C Library: Shared libraries an ii libpam0g 0.76-22 Pluggable Authentication Modules l ii wamerican [wordlist] 5-4 American English dictionary words ii wbritish [wordlist] 5-4 British English dictionary words f -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]