Um Wow... I'm afraid I couldn't agree with you less Richard.
My suggestion would have to be CONTACT the original author of that version
of passwd, and the debian security evaluaters/announcers and let them know
as much as possible about the hole so they can evaluate/fix it.
Your disgression in not posting the details on the open list is
appreciated ;)
Good luck and thank you for your efforts!
David.
On Wed, 18
Jul 2001, Richard wrote:
>
> On Wed, 18 Jul 2001, Jerzy Wolinski wrote:
>
> > I found some local root exploit (source and binary).
> > I have run it on some test system. It works on Debian 2.2r2
>
> Is it not decieving you like fakeroot does, are you not running the code
> as a privileged user?
>
> > From source I can see that it uses passwd program,
> > but I have no knowlegde and no time to search how it
> > really works.
> > On debian security alert pages I see nothing about passwd.
> > What should I do?
>
> Since you have no knowlegde and no time, little else but
> to trust the debian security team.
>
> [RicV]
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
>
>
