[linux-security] Re: shadow-971001

[M Taylor <mctaylor mta ca>]

At 06:02 PM 7/10/98 -0500, you wrote:
>I think I may have found a security weakness w/ login in shadow-971001.  I
>can't imagine this being a large problem if no one has run into it yet,
>but I know that's not the way to run security.
>...
>I appologize for being out of coding long enough to put together a patch
>and contact the _right_ people before hand (I'm getting back though),
>however if this does in fact need to be patched, it should be as simple as
>what's done in su.c from the same package:
>...

Did you inform the shadow package maintainer? 

If you have the source, or even the docs this shouldn't be much of a
problem an email address should be included, a simple CC would suffice. 

Please, everyone, if you have an issue with a package, inform:
a) the original author
or
b) the Linux 'port' maintainer, if not already a.
or
c) both, if it might affects multiple platforms.

In fact, I think it was the maintainer of the shadow package who complained
that vendors or users (don't remember) were producing their own patches,
yet not informing him of the risk or the patch.

If it is the package I think it is then:
Author:         jfh tab com (Julianne F. Haugh)
Maintained-by:  marekm piast t19 ds pwr wroc pl (Marek Michalkiewicz)
(according to http://sunsite.unc.edu/pub/Linux/system/admin/shadow.lsm)

Current version appears to be 980628 first off...