Debian bug report logs - #1673
npasswd won't install, and has security problems

Message received at debian-bugs-done:

From mdd.comm.mot.com!mitchell Fri Oct 13 15:25:48 1995
Return-Path: <mitchell@mdd.comm.mot.com>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0t3sY0-000BCQC; Fri, 13 Oct 95 15:25 PDT
Received: from motgate.mot.com by pixar.com with SMTP id AA08390
  (5.67b/IDA-1.5 for debian-developer-pipe@mongo.pixar.com); Fri, 13 Oct 1995 15:25:24 -0700
Received: from pobox.mot.com (pobox.mot.com [129.188.137.100]) by motgate.mot.com (8.6.11/8.6.10/MOT-3.8) with ESMTP id RAA25678; Fri, 13 Oct 1995 17:25:38 -0500
Received: from mdd.comm.mot.com (mdisea.mdd.comm.mot.com [138.242.64.201]) by pobox.mot.com (8.6.11/8.6.10/MOT-3.8) with SMTP id RAA19352; Fri, 13 Oct 1995 17:25:35 -0500
Received: from bb29c.mdd.comm.mot.com by mdd.comm.mot.com (4.1/SMI-4.1)
	id AA26980; Fri, 13 Oct 95 15:25:33 PDT
Received: by bb29c.mdd.comm.mot.com (4.1/SMI-4.1)
	id AA02842; Fri, 13 Oct 95 15:25:28 PDT
Date: Fri, 13 Oct 95 15:25:28 PDT
From: mitchell@mdd.comm.mot.com (Bill Mitchell)
Message-Id: <9510132225.AA02842@bb29c.mdd.comm.mot.com>
To: debian-bugs-done@pixar.com, marekm@i17linuxb.ists.pwr.wroc.pl,
        debian-devel@pixar.com
Subject: Re: Bug#1673: npasswd won't install, and has security problems

 Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl> said:

> The npasswd-1.2-8.deb package in "contrib" won't install (at least with
> dpkg-1.0.0) - dpkg complains something about bad file format or some such.
> 
> No big loss [...]

I'm the maintainer-of-record for npasswd, though I never did
make a fully functional version available and have touched it
only to build packages tracking our evolving packaging guidelines
in the last year (maybe two).

I recently asked if anybody objected to my withdrawing it, and
received no response.

Please withdraw the present npasswd package from the distribution.

Message received at debian-bugs:

From i17linuxb.ists.pwr.wroc.pl!marekm Fri Oct 13 08:55:47 1995
Return-Path: <marekm@i17linuxb.ists.pwr.wroc.pl>
Received: from pixar.com by mongo.pixar.com with smtp
	(Smail3.1.28.1 #15) id m0t3mSZ-000DmJC; Fri, 13 Oct 95 08:55 PDT
Received: from i17linuxb.ists.pwr.wroc.pl by pixar.com with SMTP id AA09104
  (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Fri, 13 Oct 1995 08:55:21 -0700
Received: (from marekm@localhost) by i17linuxb.ists.pwr.wroc.pl (8.6.12/8.6.9) id QAA02252 for debian-bugs@pixar.com; Fri, 13 Oct 1995 16:55:36 +0100
From: Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>
Message-Id: <199510131555.QAA02252@i17linuxb.ists.pwr.wroc.pl>
Subject: npasswd won't install, and has security problems
To: debian-bugs@pixar.com
Date: Fri, 13 Oct 1995 16:55:33 +0100 (MET)
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Content-Length: 905       

Package: npasswd
Version: 1.2-8

The npasswd-1.2-8.deb package in "contrib" won't install (at least with
dpkg-1.0.0) - dpkg complains something about bad file format or some such.

No big loss - this version seems to have some fundamental security holes
like strcpy() of user-supplied username without checking if it will fit
in the destination array.  Someone else should look at the source to
confirm this, but if this is true, better remove the package and tell
everyone to remove it from their system if anyone managed to install it.

There is a new version, npasswd 2.0, under development, currently only
available for "serious developers".  I don't know what is the definition
of a "serious developer" used by the author, I had no success getting
the beta version, maybe someone else will look more serious than me :-).

See http://uts.cc.utexas.edu/~clyde/npasswd.html for more information.

Marek