On Fri, May 16, 2008 at 04:58:41PM -0700, Steve Langasek wrote: > On Thu, May 15, 2008 at 01:16:05PM -0700, Ivan Kohler wrote: > > On Thu, May 15, 2008 at 12:30:21PM -0700, Steve Langasek wrote: > > > On Wed, May 14, 2008 at 07:36:14PM -0700, Ivan Kohler wrote: > > > > On Tue, May 13, 2008 at 10:36:33AM +0200, Christoph Pleger wrote: > > > > > Hello, > > > > > > > - The patch needs to be updated to apply against the current > > > > > > package in > > > > > > unstable. > > > > > > Done. I have attached a patch for unix_auth.c > > > > > > > and, importantly: > > > > > > > - we need some some code review/feedback/signoff from the Debian > > > > > > folks > > > > > > maintaining PAM and other related components. I am *NOT* going to > > > > > > be > > > > > > the guy who uploads a new setuid binary without adequate review. > > > > > > Will you contact them? > > > > > I have Cc:'ed [EMAIL PROTECTED], the PAM maintainers: > > > > > Please review unix2_chkpwd.c (and the patch to unix_auth.c to use it) > > > > in > > > > this bugreport and let us know if you feel it secure to include as a > > > > setuid root binary (like vanilla PAM's /bin/unix_chkpwd). > > > > I'm sorry, I have no time to commit to doing an audit of this code. You > > > may > > > wish to look at the Debian Security Audit project: > > > > http://www.debian.org/security/audit/faq > > > Do you (or anyone else) happen to have a public contact address to > > suggest? The page only points to a non-Debian mailing list, and it > > seems bad form to subscribe [EMAIL PROTECTED] > > Steve Kemp, who's listed as starting the project, is [EMAIL PROTECTED] > > Otherwise, I would expect that contacting the debian-audit mailing list > should be fine.
Hi Steve Kemp, Please ask if members of the Security Audit project could review the setuid program in the bugreport and Cc: [EMAIL PROTECTED] with any findings or discussion. (As this is a non-Debian mailing list requiring subscription to post, I am unable to simply Cc: the list on the bugreport as I would when asking a typical group to participate.) Thanks! -- _ivan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
