Debian bug report logs - #1673 npasswd won't install, and has security problems Package: npasswd ; Reported by: Marek Michalkiewicz ; Done: mitchell@mdd.comm.mot.com (Bill Mitchell). ----------------------------------------------------------------------- Message received at debian-bugs-done: From mdd.comm.mot.com!mitchell Fri Oct 13 15:25:48 1995 Return-Path: Received: from pixar.com by mongo.pixar.com with smtp (Smail3.1.28.1 #15) id m0t3sY0-000BCQC; Fri, 13 Oct 95 15:25 PDT Received: from motgate.mot.com by pixar.com with SMTP id AA08390 (5.67b/IDA-1.5 for debian-developer-pipe@mongo.pixar.com); Fri, 13 Oct 1995 15:25:24 -0700 Received: from pobox.mot.com (pobox.mot.com [129.188.137.100]) by motgate.mot.com (8.6.11/8.6.10/MOT-3.8) with ESMTP id RAA25678; Fri, 13 Oct 1995 17:25:38 -0500 Received: from mdd.comm.mot.com (mdisea.mdd.comm.mot.com [138.242.64.201]) by pobox.mot.com (8.6.11/8.6.10/MOT-3.8) with SMTP id RAA19352; Fri, 13 Oct 1995 17:25:35 -0500 Received: from bb29c.mdd.comm.mot.com by mdd.comm.mot.com (4.1/SMI-4.1) id AA26980; Fri, 13 Oct 95 15:25:33 PDT Received: by bb29c.mdd.comm.mot.com (4.1/SMI-4.1) id AA02842; Fri, 13 Oct 95 15:25:28 PDT Date: Fri, 13 Oct 95 15:25:28 PDT From: mitchell@mdd.comm.mot.com (Bill Mitchell) Message-Id: <9510132225.AA02842@bb29c.mdd.comm.mot.com> To: debian-bugs-done@pixar.com, marekm@i17linuxb.ists.pwr.wroc.pl, debian-devel@pixar.com Subject: Re: Bug#1673: npasswd won't install, and has security problems Marek Michalkiewicz said: > The npasswd-1.2-8.deb package in "contrib" won't install (at least with > dpkg-1.0.0) - dpkg complains something about bad file format or some such. > > No big loss [...] I'm the maintainer-of-record for npasswd, though I never did make a fully functional version available and have touched it only to build packages tracking our evolving packaging guidelines in the last year (maybe two). I recently asked if anybody objected to my withdrawing it, and received no response. Please withdraw the present npasswd package from the distribution. ----------------------------------------------------------------------- Notification sent to Marek Michalkiewicz : Bug acknowledged by developer. Full text available. ----------------------------------------------------------------------- Reply sent to mitchell@mdd.comm.mot.com (Bill Mitchell) : You have taken responsibility. Full text available. ----------------------------------------------------------------------- Message received at debian-bugs: From i17linuxb.ists.pwr.wroc.pl!marekm Fri Oct 13 08:55:47 1995 Return-Path: Received: from pixar.com by mongo.pixar.com with smtp (Smail3.1.28.1 #15) id m0t3mSZ-000DmJC; Fri, 13 Oct 95 08:55 PDT Received: from i17linuxb.ists.pwr.wroc.pl by pixar.com with SMTP id AA09104 (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Fri, 13 Oct 1995 08:55:21 -0700 Received: (from marekm@localhost) by i17linuxb.ists.pwr.wroc.pl (8.6.12/8.6.9) id QAA02252 for debian-bugs@pixar.com; Fri, 13 Oct 1995 16:55:36 +0100 From: Marek Michalkiewicz Message-Id: <199510131555.QAA02252@i17linuxb.ists.pwr.wroc.pl> Subject: npasswd won't install, and has security problems To: debian-bugs@pixar.com Date: Fri, 13 Oct 1995 16:55:33 +0100 (MET) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 905 Package: npasswd Version: 1.2-8 The npasswd-1.2-8.deb package in "contrib" won't install (at least with dpkg-1.0.0) - dpkg complains something about bad file format or some such. No big loss - this version seems to have some fundamental security holes like strcpy() of user-supplied username without checking if it will fit in the destination array. Someone else should look at the source to confirm this, but if this is true, better remove the package and tell everyone to remove it from their system if anyone managed to install it. There is a new version, npasswd 2.0, under development, currently only available for "serious developers". I don't know what is the definition of a "serious developer" used by the author, I had no success getting the beta version, maybe someone else will look more serious than me :-). See http://uts.cc.utexas.edu/~clyde/npasswd.html for more information. Marek ----------------------------------------------------------------------- Acknowledgement sent to Marek Michalkiewicz : New bug report received and forwarded. Full text available. ----------------------------------------------------------------------- Report forwarded to debian-devel@pixar.com : Bug#1673 ; Package npasswd . Full text available. ----------------------------------------------------------------------- Ian Jackson / iwj10@thor.cam.ac.uk , with the debian-bugs tracking mechanism This page last modified 07:43:01 GMT Wed 01 Nov