Bug 11436

Summary: slim new security issue CVE-2013-4412
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Mageia Bug Squad <bugsquad>
Status: RESOLVED INVALID QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: derekjenn, n54, pmdenielou
Version: 3   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
Whiteboard:
Source RPM: slim-1.3.4-3.mga3.src.rpm CVE:
Status comment:

Description David Walser 2013-10-10 21:37:15 CEST 
The issue with crypt() and NULL and glibc 2.17 has been assigned a CVE:
http://openwall.com/lists/oss-security/2013/10/09/4

I added mancha's patch to Cauldron a while ago.  It turns out that this issue doesn't matter for us, as we have USE_PAM defined in the spec file, so the vulnerable code is #ifdef'd out if that's defined, and we're not affected.

I'm filing this bug just to have it on record and mark it as INVALID.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-10-10 21:38:27 CEST 
BTW, the patch for this can be removed once we update to slim 1.3.6.  I tried to do it myself, but it won't build due to linking errors with various Xorg symbols.  I'm CC'ing the previous updaters of this package.

Status: NEW => RESOLVED
CC: (none) => derekjenn, n54, pierre-malo.denielou
Resolution: (none) => INVALID