On Thu, May 15, 2008 at 12:30:21PM -0700, Steve Langasek wrote: > On Wed, May 14, 2008 at 07:36:14PM -0700, Ivan Kohler wrote: > > On Tue, May 13, 2008 at 10:36:33AM +0200, Christoph Pleger wrote: > > > Hello, > > > > > - The patch needs to be updated to apply against the current package in > > > > unstable. > > > > Done. I have attached a patch for unix_auth.c > > > > > and, importantly: > > > > > - we need some some code review/feedback/signoff from the Debian folks > > > > maintaining PAM and other related components. I am *NOT* going to be > > > > the guy who uploads a new setuid binary without adequate review. > > > > Will you contact them? > > > I have Cc:'ed [EMAIL PROTECTED], the PAM maintainers: > > > Please review unix2_chkpwd.c (and the patch to unix_auth.c to use it) in > > this bugreport and let us know if you feel it secure to include as a > > setuid root binary (like vanilla PAM's /bin/unix_chkpwd). > > I'm sorry, I have no time to commit to doing an audit of this code. You may > wish to look at the Debian Security Audit project: > > http://www.debian.org/security/audit/faq
Do you (or anyone else) happen to have a public contact address to suggest? The page only points to a non-Debian mailing list, and it seems bad form to subscribe [EMAIL PROTECTED] -- _ivan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]