Dear Nicolas, > We believe that the bug you reported is fixed in ... > login_4.1.3-1_i386.deb ...
The untrusted ut_line is now internally used for utmp only (so there should be no security issues there), but is passed to PAM as PAM_TTY. Thus an attacker could: - cause securetty checks to fail resulting in a DoS, or - bypass or trick some checks in pam_time or pam_group. Please let me know if you require further details. [Am puzzled that the bug embodied in is_my_tty() was left, and by the insistence to use ut_line in preference to ttyname().] Please re-open the bug. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org