[lfs-dev] Bug#832170: shadow: CVE-2016-6252: Incorrect integer handling

Douglas R. Reno renodr at linuxfromscratch.org
Sat Jul 23 09:24:58 PDT 2016


Bruce Dubbs wrote:
> I can find no description for this vulnerability.  The links just say 
> that the Debian version is vulnerable and unfixed.  Looking at Mitre, 
> they just say the CVE entry is reserved.
>
> Without any detail, there is nothing we can do.
>
> RedHat does say the vulnerabilty is 'local'
>
> I did find this:
>
> http://seclists.org/oss-sec/2016/q3/115
>
>   -- Bruce
>
The CVE will remain reserved as long as a company like Novell (SuSE) or 
RedHat feels like it. There is no policy on that. There are several that 
have been released publicly that still say reserved thanks to the 
actions of those companies. Canonical is probably the same way. See the 
emails I forwarded privately for patches and such. I don't think Mailman 
would approve of me forwarding all 7 of them at one time.

William Harrington wrote:
>>  From pkg-shadow dev mailing list:
>>
>> Source: shadow
>> Version: 1:4.1.5.1-1
>> Severity: important
>> Tags: security upstream
>>
>> Hi,
>>
>> the following vulnerability was published for shadow.
>>
>> CVE-2016-6252[0]:
>> incorrect integer handling
>>
>> If you fix the vulnerability please also make sure to include the
>> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>>
>> For further information see:
>>
>> [0] https://security-tracker.debian.org/tracker/CVE-2016-6252
>>
>> Please adjust the affected versions in the BTS as needed.
>>
>> Regards,
>> Salvatore
>>
>


-- 
Douglas R. Reno
--LFS/BLFS systemd maintainer



More information about the lfs-dev mailing list