Processed: Re: Bug#318123: Patch insufficient
Processing commands for [EMAIL PROTECTED]: severity 318123 important Bug#318123: [CVE-2006-0061] xlockmore: xlock segfaults with libpam-opensc, returns to user session Bug#399003: xlock accepts empty password if opie is in the pam auth stack Severity set to `important' from `grave' thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#318123: Patch insufficient
severity 318123 important thanks On Sat, Dec 09, 2006 at 11:36:02AM -0500, Michael Stone wrote: The best solution for now is probably just to conflict with libpam-opensc NMU'd with this 'solution' -- downgrading this bug and its sister one accordingly. I don't consider this bug adequately solved, but this solution IMHO trumps having nothing at all and hence no xlock in etch. NMU patch attached. --Jeroen -- Jeroen van Wolffelaar [EMAIL PROTECTED] (also for Jabber MSN; ICQ: 33944357) http://Jeroen.A-Eskwadraat.nl diff -u xlockmore-5.22/debian/control xlockmore-5.22/debian/control --- xlockmore-5.22/debian/control +++ xlockmore-5.22/debian/control @@ -10,7 +10,7 @@ Depends: ${shlibs:Depends} Suggests: fortune Recommends: libpam-modules -Conflicts: xlockmore, libpam-modules ( 0.76-13.1), xbase ( 3.3.2.3a-2) +Conflicts: xlockmore, libpam-modules ( 0.76-13.1), xbase ( 3.3.2.3a-2), libpam-p11, libpam-opie Replaces: xlockmore Provides: xlockmore Priority: optional @@ -31,7 +31,7 @@ Depends: ${shlibs:Depends} Suggests: fortune Recommends: libpam-modules -Conflicts: xlockmore-gl, libpam-modules ( 0.76-13.1), xbase ( 3.3.2.3a-2) +Conflicts: xlockmore-gl, libpam-modules ( 0.76-13.1), xbase ( 3.3.2.3a-2), libpam-p11, libpam-opie Replaces: xlockmore-gl Priority: extra Description: Lock X11 display until password is entered. diff -u xlockmore-5.22/debian/changelog xlockmore-5.22/debian/changelog --- xlockmore-5.22/debian/changelog +++ xlockmore-5.22/debian/changelog @@ -1,3 +1,11 @@ +xlockmore (1:5.22-1.2) unstable; urgency=high + + * Non-Maintainer Upload to address RC bug + * Add conflicts on libpam-opie and libpam-p11, mitigating a potential +security issue (addressing: #318123, #399003) + + -- Jeroen van Wolffelaar [EMAIL PROTECTED] Wed, 17 Jan 2007 01:49:41 +0100 + xlockmore (1:5.22-1.1) unstable; urgency=medium * Non-maintainer upload, BSP Zurich/Switzerland
Bug#318123: Patch insufficient
tags 318123 - patch thanks 10:55 Joey aba: fyi, patch in #318123 reichte evtl. nicht. Wenn das der patch ist, den wir auch fuer security hatten, reicht der nicht, weshalb es auch kein DSA gegeben hat. 10:56 Joey jwz hat auch eine neue version kuerzlich herausgegeben iirc. 10:56 aba Joey: kannst du das bitte an den bug schreiben und das tag patch entfernen? 10:58 Joey mach selbst (Summary: [EMAIL PROTECTED] says patch in #318123 is insufficient) -- http://home.arcor.de/andreas-barth/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#318123: Patch insufficient
On Sat, Dec 09, 2006 at 11:01:01AM +0100, you wrote: (Summary: [EMAIL PROTECTED] says patch in #318123 is insufficient) No shit; I said that when I first saw the patch. The best solution for now is probably just to conflict with libpam-opensc; there's some work on rearchitecting the pam support in xlock, but that's not going to be done soon. The basic problem is that the pam support is rudimentary, and pushing it isn't going to lead to good results. I still fundamentally disagree that this is a security bug, since it is something that only happens in a non-default configuration, only happens if the system administrator configures it that way, and isn't a working configuration anyway. (So it's not like someone's going to configure it this way and not know there's a problem.) Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]