On Thu, May 15, 2008 at 01:16:05PM -0700, Ivan Kohler wrote: > On Thu, May 15, 2008 at 12:30:21PM -0700, Steve Langasek wrote: > > On Wed, May 14, 2008 at 07:36:14PM -0700, Ivan Kohler wrote: > > > On Tue, May 13, 2008 at 10:36:33AM +0200, Christoph Pleger wrote: > > > > Hello,
> > > > > - The patch needs to be updated to apply against the current package > > > > > in > > > > > unstable. > > > > Done. I have attached a patch for unix_auth.c > > > > > and, importantly: > > > > > - we need some some code review/feedback/signoff from the Debian folks > > > > > maintaining PAM and other related components. I am *NOT* going to be > > > > > the guy who uploads a new setuid binary without adequate review. > > > > Will you contact them? > > > I have Cc:'ed [EMAIL PROTECTED], the PAM maintainers: > > > Please review unix2_chkpwd.c (and the patch to unix_auth.c to use it) in > > > this bugreport and let us know if you feel it secure to include as a > > > setuid root binary (like vanilla PAM's /bin/unix_chkpwd). > > I'm sorry, I have no time to commit to doing an audit of this code. You may > > wish to look at the Debian Security Audit project: > > http://www.debian.org/security/audit/faq > Do you (or anyone else) happen to have a public contact address to > suggest? The page only points to a non-Debian mailing list, and it > seems bad form to subscribe [EMAIL PROTECTED] Steve Kemp, who's listed as starting the project, is [EMAIL PROTECTED] Otherwise, I would expect that contacting the debian-audit mailing list should be fine. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ [EMAIL PROTECTED] [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
