At Thu, 22 Apr 2004 17:58:58 -0700, Matt Zimmerman wrote: > > At Fri, 23 Apr 2004 01:11:15 +0200, > > BUCHMULLER Norbert wrote: > > > > Isn't it CAN-2003-0689? (I have not seen that fixed in libc6's > > > > > > It _is_. > > > > I didn't know this bug before... > > Debian security team, could you look at it? > > Yes, this is not a new bug...however I do not consider it to have genuine > security impact. In order to be triggered, a user must be a member of an > unusually large number of groups (not under user's control), and in order to > be exploited, the group names (not under user's control) would need to be > manipulated. > > So the only attack vector I see is "user can cause some programs to crash by > asking the sysadmin to add him to a large number of groups".
Thanks for your explanation. > This bug has been seen to cause problems with, e.g., samba in real-world > situations, though, so it might be worth fixing in an upload to > proposed-updates. Unfortunatelly we have been missed proposed-updates for glibc in woody. It's fixed in coming release sarge... Regards, -- gotom -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
