On Wed, 2005-01-12 at 17:29 +0100, Ulf Härnhammar wrote:
> Quoting Steve Kemp <steve_at_shellcode.org>:
>
> > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=289784
> >
> > That's an .. unlikely .. bug to occur in practise. I guess only
> > root can modify the GECOS field.
>
> No, you can use the chfn command to change all data in your own GECOS field
> except your real name. The command checks the length of all data, so you
> probably can't use it for this attack (it might be possible to enter the
> maximum amount in each field and make it reach 160 bytes that way). There are
> other systems that will let you edit your GECOS field, like webmin (I think)
> and more.
>
> It's not a really serious bug, but IMHO worth fixing.
I do not have my new GPG key signed yet (sigh) so I am in no position to
perform an upload. Could somebody please apply the fix and NMU?
Thanks,
Grzegorz B. Prokopski
Received on Wed Jan 12 2005 - 19:01:24 GMT