tags 276419 fixed-upstream thanks > Agreed. Since there is a very simple fix (escape of arguments, which > people used to shell programming should be able to achieve), a normal (or > even minor) severity could be used.
Let's see if the submitter has some input. PS to people in the pkg-shadow-devel list�: when answering to threads which come from the BTS (mails sent to [EMAIL PROTECTED]), please use the bug address and NOT the mailing list address. When answering to the list, only the list members will see the discussion. Answering to the bug number will archive the discussion in the bug log. In both cases, you'll receive the answer as the maintainer address for the package is....the mailing list..:-) Also, in cases where the bug submitter was CC'ed (such as here where we want his/her input), please keep him/her CC'ed. Remember that mails sent to a given bug in Debian BTS do NOT go to the bug submitter. > > Also, I already had a look at this bug some time ago > > (half a year?). As far as I remember, the bug is fixed > > in upstream -- need to re-check. > > Upstream's code for run_shell is very different (lots of PAM stuff) and > use the arguments the same way as my patch. > > I also tested it to make sure, and (with the exception that --shell is not > supported), it works. > > If anybody change the severity, it could also be tagged fixed-upstream Done (feel free to do so in such cases...we are ALL maintainers of the package) > > > BTW, do you think the options supported by the Debian's su will be needed > after Sarge (currently it support --command, --preserve-environment and > --shell, but IMHO upstream's su has no option). Well, this will be part of the game "what to do with Debian specific patches". Let's first finish the bug triage.
