oss-sec mailing list archives

Re: Re: [Pkg-shadow-devel] subuid security patches for shadow package

From: Salvatore Bonaccorso <carnil () debian org>
Date: Thu, 21 Jul 2016 22:21:59 +0200

Hi,

On Wed, Jul 20, 2016 at 11:48:52PM +0200, Nicolas François wrote:

Hi,

The first point looks like a non issue to me.

getlogin() is used to differentiate users with the same UID.
The result of getlogin() is checked: if it returns a username that do not
have the UID returned by getuid(), it will be ignored.


@MITRE CVE assignment team: This is for CVE-2016-6251. See above and
https://bugzilla.redhat.com/show_bug.cgi?id=1358622#c2 . 

Should this CVE be REJECTED?

Regards,
Salvatore

Current thread:

subuid security patches for shadow package Sebastian Krahmer (Jul 19)
- Re: subuid security patches for shadow package Sebastian Krahmer (Jul 19)
  - Re: subuid security patches for shadow package Eric W. Biederman (Jul 19)
    - Re: [Pkg-shadow-devel] subuid security patches for shadow package Nicolas François (Jul 20)
    - Re: Re: [Pkg-shadow-devel] subuid security patches for shadow package Salvatore Bonaccorso (Jul 22)
    - Re: Re: [Pkg-shadow-devel] subuid security patches for shadow package Sebastian Krahmer (Jul 25)
    - Re: Re: [Pkg-shadow-devel] subuid security patches for shadow package Sebastian Krahmer (Jul 25)
    - Re: Re: [Pkg-shadow-devel] subuid security patches for shadow package Solar Designer (Jul 25)
- Re: subuid security patches for shadow package cve-assign (Jul 20)