Bug 11436 - slim new security issue CVE-2013-4412
Summary: slim new security issue CVE-2013-4412
Status: RESOLVED INVALID
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Mageia Bug Squad
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-10-10 21:37 CEST by David Walser
Modified: 2013-10-10 21:38 CEST (History)
3 users (show)

See Also:
Source RPM: slim-1.3.4-3.mga3.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2013-10-10 21:37:15 CEST 
The issue with crypt() and NULL and glibc 2.17 has been assigned a CVE:
http://openwall.com/lists/oss-security/2013/10/09/4

I added mancha's patch to Cauldron a while ago.  It turns out that this issue doesn't matter for us, as we have USE_PAM defined in the spec file, so the vulnerable code is #ifdef'd out if that's defined, and we're not affected.

I'm filing this bug just to have it on record and mark it as INVALID.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-10-10 21:38:27 CEST 
BTW, the patch for this can be removed once we update to slim 1.3.6.  I tried to do it myself, but it won't build due to linking errors with various Xorg symbols.  I'm CC'ing the previous updaters of this package.

Status: NEW => RESOLVED
CC: (none) => derekjenn, n54, pierre-malo.denielou
Resolution: (none) => INVALID
Note You need to log in before you can comment on or make changes to this bug.