Hello dear Security team (and ftpmasters, and shadow package maintainers), Being back from 2 days holiday I discover CVE-2006-3378 which has just been revealed to our attention (#359174 in the BTS).
As far as I can tell, this is is locally exploitable root vulnerability. Passwd is vulnerable in sarge. At this very moment, I haven't seen a fix. Nicolas François is working on one. Our main problem is that we have another update (namely 4.0.3-31sarge7) which is pending for passwd, related to #356939. That update is *not* handled throught the security updates queue but rather through the proposed-updates queue as I explained you a few days ago. It goes this way because it has to be synced with a base-config update that Joey Hess uploaded in proposed-updates. The update is named 4.0.3-31sarge7 because a 4.0.3-31sarge6 was not accepted by the SRM team....and we (SRM and I) didn't want to wait for ftpmasters action.... CVE-2006-3378 complicates the whole thing a little bit....:-( What I propose to you, as soon as we have a fix for CVE-2006-3378: -urgently destroy 4.0.3-31sarge6 and 31sarge7 from the proposed-updates queue. Need ftpmasters collaboration with high urgency -the security team, or the shadow package team, prepares 4.0.3-31sarge6 with the fix for CVE-2006-3378 *ALONE* -the shadow package team prepares 4.0.3-31sarge7 with BOTH updates and sends it to the proposed-updates queue so that it can be picked by the SRM team when they're ready to update sarge PS: neither testing nor unstable are affected by this bug as the culprit options of passwd have been removed in shadow 4.0.14 --
signature.asc
Description: Digital signature
