forcemerge 483645 510635 thanks On Sat, Jan 03, 2009 at 11:47:34PM +0100, Yannis Aribaud wrote: > Package: libc6 > Version: 2.7-16 > Severity: normal > File: glibc > > > Hi, > > I was working on setting nss-pgsql on my system when I discovered this bug. > It seems that uid/gid use 32 bits integer and if a uid/gid is set bigger than > (2^32)-1, > their is an overflow. > > For example I have done this: > > # echo "toto:x:4294967296:4294967296:Fake root:/home/linus:/bin/bash" >> > /etc/passwd > > The result is: > > # id toto > uid=0(root) gid=0(root) groupes=0(root) > > This could be a security break...
While I agree this bug should be fixed, I don't believe it is a security break, given that no tools allow such values to be written to /etc/passwd. -- .''`. Aurelien Jarno | GPG: 1024D/F1BCDB73 : :' : Debian developer | Electrical Engineer `. `' aure...@debian.org | aurel...@aurel32.net `- people.debian.org/~aurel32 | www.aurel32.net -- To UNSUBSCRIBE, email to debian-glibc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
