Quoting Steve Kemp <[EMAIL PROTECTED]>: > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=289784 > > That's an .. unlikely .. bug to occur in practise. I guess only > root can modify the GECOS field.
No, you can use the chfn command to change all data in your own GECOS field except your real name. The command checks the length of all data, so you probably can't use it for this attack (it might be possible to enter the maximum amount in each field and make it reach 160 bytes that way). There are other systems that will let you edit your GECOS field, like webmin (I think) and more. It's not a really serious bug, but IMHO worth fixing. -- Ulf Harnhammar http://www.advogato.org/person/metaur/
