On Wed, 21 Apr 2004 12:47:58 +0200 BUCHMULLER Norbert <[EMAIL PROTECTED]> wrote:
> Isn't it CAN-2003-0689? (I have not seen that fixed in libc6's It _is_. http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=101691 states that 2.2.5 is affected, and, that the bug is in libc/grp/initgroups.c, and that the revision that fixes the bug is 1.29. >From the CVS log (http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/grp/initgroups.c?cvsro ot=glibc) I see that the fix was done in 1.29 indeed, and having a look at the diff between 1.29 and 1.28 revealed that Debian's 2.2.5-11.5 has revision 1.28 of that file, not 1.29. Now it is clear that this bug is the same as in CAN-2003-0689. Debian is still vulnerable. :-( Please fix it. Thanks. norbi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
