Bug#407231: [Adduser-devel] Processed: Re: [Pkg-shadow-devel] Bug#407231: passwd: users may gain system group access on package installation by coincidence

[Stephen Gran]

This one time, at band camp, Marc Haber said:
> I can reproduce this bug on sid adduser and have written (and
> committed) a test suite case to catch this.
> 
> I would like the people who are more knowledgeable with that part of
> the code to comment before I commit this.

The real problem (I think - reflected by the patch I just checked in) is
that existing_group_ok is called with an uninitialized $new_gid.  This
makes existing_group_ok return 1 (that behavior is probably wrong in
existing_group_ok, but can be fixed later - for now, we just need to
make sure we initialize $new_group before calling it).  I have checked
in a fix that takes care to initialize $new_group before calling the
function, and it looks like it works, although I haven't yet had time to
run the test suite on it.
-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran at debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/adduser-devel/attachments/20070117/99062f08/attachment-0003.pgp