nis/nss_nis/nis-pwd.c in the GNU C Library (aka glibc or libc6) 2.7 and Embedded GLIBC (EGLIBC) 2.10.2 adds information from the passwd.adjunct.byname map to entries in the passwd map, which allows remote attackers to obtain the encrypted passwords of NIS accounts by calling the getpwnam function.
This bug is present in glibc-2.10.2 to glibc-2.10.4.
Toolchain, can you please find out whether any version in the tree is affected by this? The CVE description is a bit unspecific with regard to version numbers. Also: Do we ship Embedded GLIBC? I'm not sure if the statement from comment #1 is correct as I don't see what it relies on..
CVE-2010-0015 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0015): nis/nss_nis/nis-pwd.c in the GNU C Library (aka glibc or libc6) 2.7 and Embedded GLIBC (EGLIBC) 2.10.2 adds information from the passwd.adjunct.byname map to entries in the passwd map, which allows remote attackers to obtain the encrypted passwords of NIS accounts by calling the getpwnam function.
We don't ship Embedded Glibc. I can't find an approved patch by upstream for this issue yet either. http://sourceware.org/bugzilla/show_bug.cgi?id=11134
nothing for us to do. see the upstream bug report for more info.
Security bug, reopening.
(In reply to comment #5) > nothing for us to do. see the upstream bug report for more info. Thanks for the input, I'm closing this invalid then.
