Package: libc6 Version: 2.7-18 Severity: normal Hello,
I have several machines where almost all user accounts come by NIS. The NIS server is running on a Solaris machine. As usual, the Solaris NIS server exports the passwd data in the map "passwd" and the shadow data in the map "passwd.adjunct.byname". These two maps are mangled together in some calls of libc6, for example in getpwnam. This makes it possible for every user who has an account on the NIS client machine to see the encrypted passwords of all NIS users. This is a grave security bug. Furthermore, getspnam returns a NULL pointer for all NIS users, even if getspnam is called by root. Regards Christoph -- System Information: Debian Release: 5.0.3 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libc6 depends on: ii libgcc1 1:4.3.2-1.1 GCC support library libc6 recommends no packages. Versions of packages libc6 suggests: pn glibc-doc <none> (no description available) ii libc6-i686 2.7-18 GNU C Library: Shared libraries [i ii locales 2.7-18 GNU C Library: National Language ( -- debconf information: glibc/upgrade: true glibc/restart-failed: * glibc/restart-services: ssh openbsd-inetd cron -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
