On Wed, May 14, 2008 at 07:36:14PM -0700, Ivan Kohler wrote: > On Tue, May 13, 2008 at 10:36:33AM +0200, Christoph Pleger wrote: > > Hello,
> > > - The patch needs to be updated to apply against the current package in > > > unstable. > > Done. I have attached a patch for unix_auth.c > > > and, importantly: > > > - we need some some code review/feedback/signoff from the Debian folks > > > maintaining PAM and other related components. I am *NOT* going to be > > > the guy who uploads a new setuid binary without adequate review. > > Will you contact them? > I have Cc:'ed [EMAIL PROTECTED], the PAM maintainers: > Please review unix2_chkpwd.c (and the patch to unix_auth.c to use it) in > this bugreport and let us know if you feel it secure to include as a > setuid root binary (like vanilla PAM's /bin/unix_chkpwd). I'm sorry, I have no time to commit to doing an audit of this code. You may wish to look at the Debian Security Audit project: http://www.debian.org/security/audit/faq -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ [EMAIL PROTECTED] [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
