sys-auth/libnss-mysql-1.5_p20060915 seems to be always compiled in debug mode ignoring the USE flag. Because of the debug mode a file /tmp/libnss-mysql-debug.log is created that grows and grows. The problem is either in the ebuild or in the configure script. I created my own ebuild and renamed the #define DEBUG switches in the sources and the problem is gone. Reproducible: Always Steps to Reproduce: Run USE="-debug" ebuild /usr/portage/sys-auth/libnss-mysql/libnss-mysql-1_p20060915.ebuild clean configure Actual Results: /var/tmp/portage/sys-auth/libnss-mysql-1.5_p20060915/work/libnss-mysql contains: #define DEBUG 1 Expected Results: config.h must not define DEBUG.
hanno: I've fixed this now. Patch to configure.in for correct AC_ARG_ENABLE usage. security: The debug file (/tmp/libnss-mysql-debug.log) that was being created has information leak implications (specifically leaking /etc/shadow hashes). The upstream DEBUGGING file has explicit warnings about it. This problem did NOT affect the stable 1.5, just the ~arch 1.5_p20060915 version. GLSA worthy or not?
I think this is glsa-worthy and also I'll assing CVE-2010-1483 from my personal pool to it (I'll write a non-gentoo-specific advisory to the common security lists to make this public). I'll also try to contact the author if he can apply robbat2's patch and make a new snapshot although it seems to be a dead project.
(In reply to comment #1) > security: > The debug file (/tmp/libnss-mysql-debug.log) that was being created has > information leak implications (specifically leaking /etc/shadow hashes). The > upstream DEBUGGING file has explicit warnings about it. This problem did NOT > affect the stable 1.5, just the ~arch > 1.5_p20060915 version. GLSA worthy or not? > It might be worthy, but we don't cover ~arch with advisories.
Ok, checked, 1.5 is not affected, so we're done here. I've informed upstream and asked for a new version, but I doubt he will reply (development stopped somewhere in 2006).
