Package: pam-ssh-agent-auth Version: 0.10.2-1 Severity: critical Tags: security upstream Control: forwarded -1 https://sourceforge.net/p/pamsshagentauth/bugs/23/
Dear Maintainer, The build logs show two security related warnings which probably need attention. https://buildd.debian.org/status/fetch.php?pkg=pam-ssh-agent-auth&arch=i386&ver=0.10.2-1&stamp=1454675300 : ... authfd.c: In function 'ssh_get_authentication_socket': authfd.c:147:5: warning: ignoring return value of 'seteuid', declared with attribute warn_unused_result [-Wunused-result] seteuid(uid); / To ensure a race condition is not used to circumvent the stat ^ authfd.c:156:5: warning: ignoring return value of 'seteuid', declared with attribute warn_unused_result [-Wunused-result] seteuid(0); / we now continue the regularly scheduled programming */ ^ ... >From man seteuid: ... RETURN VALUE On success, zero is returned. On error, -1 is returned, and errno is set appropriately. Note: there are cases where seteuid() can fail even when the caller is UID 0; it is a grave security error to omit checking for a failure return from seteuid(). ... Cheers, Balint
