Werner Koch <w...@gnupg.org> writes: > Are you trying to tell us that there is an application with dependencies > to libnss, openldap and gnutls and that one is intended to be run suid? > Did you audit all that code and the way the code is used to be written > properly in a way that the suid-ness is not exploitable?
Yes, it is even quite simple to write such an application: Just call getgroups(), getpwent(), ... on a system that uses LDAP. If there is no caching daemon like nscd running, the application will use libnss-ldap (via glibc's Name Service Switch) which can in turn use gnutls. As the application itself does not use openldap, gnutls, or gcrypt there is no way it could initialize gcrypt. Using PAM can probably result in similar problems. Regards, Ansgar -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
