Quoting Steve Kemp <steve@xxxxxxxxxxxxx>:
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=289784
>
> That's an .. unlikely .. bug to occur in practise. I guess only
> root can modify the GECOS field.
No, you can use the chfn command to change all data in your own GECOS field
except your real name. The command checks the length of all data, so you
probably can't use it for this attack (it might be possible to enter the
maximum amount in each field and make it reach 160 bytes that way). There are
other systems that will let you edit your GECOS field, like webmin (I think)
and more.
It's not a really serious bug, but IMHO worth fixing.
--
Ulf Harnhammar
http://www.advogato.org/person/metaur/
|
