[lfs-dev] Bug#832170: shadow: CVE-2016-6252: Incorrect integer handling

William Harrington kb0iic at berzerkula.org
Sat Jul 23 18:46:18 PDT 2016

On Sat, 23 Jul 2016 11:24:58 -0500
"Douglas R. Reno" <renodr at linuxfromscratch.org> wrote:

> Bruce Dubbs wrote:
> > I can find no description for this vulnerability.  The links just say 
> > that the Debian version is vulnerable and unfixed.  Looking at Mitre, 
> > they just say the CVE entry is reserved.
> >
> > Without any detail, there is nothing we can do.
> >
> > RedHat does say the vulnerabilty is 'local'
> >
> > I did find this:
> >
> > http://seclists.org/oss-sec/2016/q3/115
> >
> >   -- Bruce
> >
> The CVE will remain reserved as long as a company like Novell (SuSE) or 
> RedHat feels like it. There is no policy on that. There are several that 
> have been released publicly that still say reserved thanks to the 
> actions of those companies. Canonical is probably the same way. See the 
> emails I forwarded privately for patches and such. I don't think Mailman 
> would approve of me forwarding all 7 of them at one time.

Hello Douglas,

Thank you for the Shadow resources. I've also been watching the pkg-shadow-devel list for a long time. There are many updates since the last Shadow release, and a new maintainer is also in the mix. They are planning a Shadow 4.3 release which fixes a lot of issues. Be on the lookout for it in a few weeks/months. The release has been slow moving.

Please review changes at https://github.com/shadow-maint/shadow


William Harrington
William Harrington <kb0iic at berzerkula.org>

More information about the lfs-dev mailing list