Debian bug report logs - #1673 , boring messages ----------------------------------------------------------------------- Message sent to debian-devel@pixar.com: Subject: Bug#1673: npasswd won't install, and has security problems Reply-To: Marek Michalkiewicz , debian-bugs@pixar.com Resent-From: Marek Michalkiewicz Resent-To: debian-devel@pixar.com Resent-Date: Fri, 13 Oct 1995 16:03:02 GMT Resent-Message-ID: Resent-Sender: iwj10@cus.cam.ac.uk X-Debian-PR-Package: npasswd X-Debian-PR-Keywords: Received: via spool for debian-bugs; Fri, 13 Oct 1995 16:03:02 GMT Received: with rfc822 via encapsulated-mail; Fri, 13 Oct 1995 15:57:21 GMT Received: from pixar.com by mongo.pixar.com with smtp (Smail3.1.28.1 #15) id m0t3mSZ-000DmJC; Fri, 13 Oct 95 08:55 PDT Received: from i17linuxb.ists.pwr.wroc.pl by pixar.com with SMTP id AA09104 (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Fri, 13 Oct 1995 08:55:21 -0700 Received: (from marekm@localhost) by i17linuxb.ists.pwr.wroc.pl (8.6.12/8.6.9) id QAA02252 for debian-bugs@pixar.com; Fri, 13 Oct 1995 16:55:36 +0100 From: Marek Michalkiewicz Message-Id: <199510131555.QAA02252@i17linuxb.ists.pwr.wroc.pl> To: debian-bugs@pixar.com Date: Fri, 13 Oct 1995 16:55:33 +0100 (MET) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 905 Package: npasswd Version: 1.2-8 The npasswd-1.2-8.deb package in "contrib" won't install (at least with dpkg-1.0.0) - dpkg complains something about bad file format or some such. No big loss - this version seems to have some fundamental security holes like strcpy() of user-supplied username without checking if it will fit in the destination array. Someone else should look at the source to confirm this, but if this is true, better remove the package and tell everyone to remove it from their system if anyone managed to install it. There is a new version, npasswd 2.0, under development, currently only available for "serious developers". I don't know what is the definition of a "serious developer" used by the author, I had no success getting the beta version, maybe someone else will look more serious than me :-). See http://uts.cc.utexas.edu/~clyde/npasswd.html for more information. Marek ----------------------------------------------------------------------- Message sent: From: iwj10@thor.cam.ac.uk (Ian Jackson) To: Marek Michalkiewicz Subject: Bug#1673: Acknowledgement (was: npasswd won't install, and has security problems) In-Reply-To: <199510131555.QAA02252@i17linuxb.ists.pwr.wroc.pl> References: <199510131555.QAA02252@i17linuxb.ists.pwr.wroc.pl> Thank you for the problem report you have sent regarding Debian GNU/Linux. This is an automatically generated reply, to let you know your message has been received. It is being forwarded to the developers' mailing list for their attention; they will reply in due course. If you wish to submit further information on your problem, please send it to debian-bugs@pixar.com, but please ensure that the Subject line of your message starts with "Bug#1673" or "Re: Bug#1673" so that we can identify it as relating to the same problem. Please do not reply to the address at the top of this message, unless you wish to report a problem with the bug-tracking system. Ian Jackson (maintainer, debian-bugs) ----------------------------------------------------------------------- Message sent: From: iwj10@thor.cam.ac.uk (Ian Jackson) To: mitchell@mdd.comm.mot.com (Bill Mitchell) In-Reply-To: <9510132225.AA02842@bb29c.mdd.comm.mot.com> References: <9510132225.AA02842@bb29c.mdd.comm.mot.com> <199510131555.QAA02252@i17linuxb.ists.pwr.wroc.pl> Subject: Bug#1673: marked as done (was: npasswd won't install, and has security problems) Your message dated Fri, 13 Oct 95 15:25:28 PDT with message-id <9510132225.AA02842@bb29c.mdd.comm.mot.com> and subject line Bug#1673: npasswd won't install, and has security problems has caused the attached bug report to be marked as done. It is your now responsibility to ensure that the bug report is dealt with. (NB: If you are a system administrator and have no idea what I'm talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Ian Jackson (maintainer, debian-bugs) Received: with rfc822 via encapsulated-mail; Fri, 13 Oct 1995 15:57:21 GMT From i17linuxb.ists.pwr.wroc.pl!marekm Fri Oct 13 08:55:47 1995 Return-Path: Received: from pixar.com by mongo.pixar.com with smtp (Smail3.1.28.1 #15) id m0t3mSZ-000DmJC; Fri, 13 Oct 95 08:55 PDT Received: from i17linuxb.ists.pwr.wroc.pl by pixar.com with SMTP id AA09104 (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Fri, 13 Oct 1995 08:55:21 -0700 Received: (from marekm@localhost) by i17linuxb.ists.pwr.wroc.pl (8.6.12/8.6.9) id QAA02252 for debian-bugs@pixar.com; Fri, 13 Oct 1995 16:55:36 +0100 From: Marek Michalkiewicz Message-Id: <199510131555.QAA02252@i17linuxb.ists.pwr.wroc.pl> Subject: npasswd won't install, and has security problems To: debian-bugs@pixar.com Date: Fri, 13 Oct 1995 16:55:33 +0100 (MET) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 905 Package: npasswd Version: 1.2-8 The npasswd-1.2-8.deb package in "contrib" won't install (at least with dpkg-1.0.0) - dpkg complains something about bad file format or some such. No big loss - this version seems to have some fundamental security holes like strcpy() of user-supplied username without checking if it will fit in the destination array. Someone else should look at the source to confirm this, but if this is true, better remove the package and tell everyone to remove it from their system if anyone managed to install it. There is a new version, npasswd 2.0, under development, currently only available for "serious developers". I don't know what is the definition of a "serious developer" used by the author, I had no success getting the beta version, maybe someone else will look more serious than me :-). See http://uts.cc.utexas.edu/~clyde/npasswd.html for more information. Marek ----------------------------------------------------------------------- Message sent: From: iwj10@thor.cam.ac.uk (Ian Jackson) To: Marek Michalkiewicz Subject: Bug#1673 acknowledged by developer (was: npasswd won't install, and has security problems) References: <9510132225.AA02842@bb29c.mdd.comm.mot.com> <199510131555.QAA02252@i17linuxb.ists.pwr.wroc.pl> In-Reply-To: <199510131555.QAA02252@i17linuxb.ists.pwr.wroc.pl> This is an automatic notification regarding your bug report. Responsibility for it has been taken by one of the developers, namely mitchell@mdd.comm.mot.com (Bill Mitchell). You should be hearing from them with a substantive response shortly, if you have not already done so. If not, please contact them directly, or email debian-bugs@pixar.com or myself. Ian Jackson (maintainer, debian-bugs) ----------------------------------------------------------------------- Ian Jackson / iwj10@thor.cam.ac.uk , with the debian-bugs tracking mechanism This page last modified 07:43:01 GMT Wed 01 Nov