[Pkg-shadow-devel] Bug#379174: Shadow security update for CVE-2006-3378

[Christian Perrier]

Hello dear Security team (and ftpmasters, and shadow package maintainers),

Being back from 2 days holiday I discover CVE-2006-3378 which has just
been revealed to our attention (#359174 in the BTS).

As far as I can tell, this is is locally exploitable root
vulnerability. Passwd is vulnerable in sarge.

At this very moment, I haven't seen a fix. Nicolas François is working
on one.

Our main problem is that we have another update (namely
4.0.3-31sarge7) which is pending for passwd, related to #356939. That
update is *not* handled throught the security updates queue but rather
through the proposed-updates queue as I explained you a few days ago.

It goes this way because it has to be synced with a base-config update
that Joey Hess uploaded in proposed-updates.

The update is named 4.0.3-31sarge7 because a 4.0.3-31sarge6 was not
accepted by the SRM team....and we (SRM and I) didn't want to wait for
ftpmasters action....


CVE-2006-3378 complicates the whole thing a little bit....:-(


What I propose to you, as soon as we have a fix for CVE-2006-3378:



-urgently destroy 4.0.3-31sarge6 and 31sarge7 from the
 proposed-updates queue. Need ftpmasters collaboration with high urgency
-the security team, or the shadow package team, prepares
 4.0.3-31sarge6 with the fix for CVE-2006-3378 *ALONE*
-the shadow package team prepares 4.0.3-31sarge7 with BOTH updates and
 sends it to the proposed-updates queue so that it can be picked by the
 SRM team when they're ready to update sarge



PS: neither testing nor unstable are affected by this bug as the
culprit options of passwd have been removed in shadow 4.0.14



-- 



-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/attachments/20060723/07f518d5/attachment-0001.pgp