Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20100107220528.GM7032@hall.aurel32.net>
Date: Thu, 7 Jan 2010 23:05:28 +0100
From: Aurelien Jarno <aurelien@...el32.net>
To: oss-security@...ts.openwall.com
Cc: Christoph Pleger <Christoph.Pleger@...tu-dortmund.de>
Subject: CVE id request: GNU libc: NIS shadow password leakage

Hi oss-sec,

Christoph Pleger has reported through the Debian bug tracker [1] that
non-priviledged users can read NIS shadow password entries simply
using getpwnam() when nscd is in use.

The issue has already been reported upstream [2], and a proposed patch
is available on [3].

It seems that all GNU libc versions are affected, including derivatives
like EGLIBC.

Could we please get a CVE id for this issue?

Thanks,
Aurelien

[1] http://bugs.debian.org/560333
[2] http://sourceware.org/bugzilla/show_bug.cgi?id=11134
[3] http://svn.debian.org/viewsvn/pkg-glibc/glibc-package/trunk/debian/patches/any/submitted-nis-shadow.diff?revision=4062&view=markup

-- 
Aurelien Jarno	                        GPG: 1024D/F1BCDB73
aurelien@...el32.net                 http://www.aurel32.net

Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.