Your message dated Thu, 5 May 2005 16:22:20 +0100
with message-id <[EMAIL PROTECTED]>
and subject line Removed
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 17 Jan 2005 07:42:59 +0000
>From [EMAIL PROTECTED] Sun Jan 16 23:42:58 2005
Return-path: <[EMAIL PROTECTED]>
Received: from forumakad.pl [212.182.115.22] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1CqRXO-0008UQ-00; Sun, 16 Jan 2005 23:42:58 -0800
Received: from amavis by forumakad.pl with scanned-ok (Exim 3.35 #1 (Debian))
id 1CqRXJ-0007Mt-00
for <[EMAIL PROTECTED]>; Mon, 17 Jan 2005 08:42:53 +0100
Received: from forumakad.pl ([127.0.0.1])
by localhost (forumakad [212.182.115.22]) (amavisd-new, port 10024)
with ESMTP id 24908-06 for <[EMAIL PROTECTED]>;
Mon, 17 Jan 2005 08:42:52 +0100 (CET)
Received: from eyck by forumakad.pl with local (Exim 3.35 #1 (Debian))
id 1CqRXI-0007Mp-00; Mon, 17 Jan 2005 08:42:52 +0100
From: Dariush Pietrzak <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: openwebmail: Friviolous use of suid bit. Possible remote root.
X-Mailer: reportbug 1.50
Date: Mon, 17 Jan 2005 08:42:52 +0100
Message-Id: <[EMAIL PROTECTED]>
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at forumakad.pl
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Package: openwebmail
Version: 2.41-6
Severity: important
Tags: security
Quote:
"
OpenWebmail needs suid. Setting... Done.
Initializing. It could take a while...
".
This happens after update, while documentation states:
"...and you want to improve the security of your system
...
...
4. Change permissions
chmod -s /usr/share/openwebmail/cgi-bin/*.pl
"
This leads to package unexpectedly running suid root.
And those are complicated pieces of unaudited code, running even without "-T".
This setup leads to spellchecker and calendar running as root behind the
users/admins back.
Documentation should be fixed to state that dpkg-statoverride should be used
AND postinst shouldn't ignore existing statoverride
ie:
for f in `dir -1 /usr/lib/cgi-bin/openwebmail/openwebmail*.pl`; do
if [ "`dpkg-statoverride --list $f`" ]; then
#don't touch existing override! dpkg-statoverride --remove $f
else
dpkg-statoverride --add root root 4755 $f
fi
done
Additionaly, those lines in postinst are very troubling:
"
chown root.root /usr/lib/cgi-bin/openwebmail/openwebmail*.pl || true
chmod 4755 /usr/lib/cgi-bin/openwebmail/openwebmail*.pl || true
", they should be removed as soon as possible.
Under no circumstances should package install behave like this.
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux forumakad 2.4.28-bsd25a #1 Thu Nov 18 11:54:59 CET 2004 i686
Locale: LANG=C, LC_CTYPE=C
Versions of packages openwebmail depends on:
ii apache 1.3.26-0woody6 Versatile, high-performance HTTP s
ii apache [httpd] 1.3.26-0woody6 Versatile, high-performance HTTP s
ii debconf 1.0.32 Debian configuration management sy
ii libauthen-pam-perl 0.12-2 This module provides a Perl interf
ii libdbd-mysql-perl 1.2216-2 mySQL database interface for Perl
ii libdbd-pg-perl 1.01-3 a PostgreSQL interface for Perl 5
ii libmd5-perl 2.02-3 backwards-compatible wrapper for D
ii libnet-ldap-perl 0.25-2 A Client interface to LDAP servers
ii libtext-iconv-perl 1.2-1 Convert between character sets in
ii perl 5.6.1-8.8 Larry Wall's Practical Extraction
ii perl-suid 5.6.1-8.8 Runs setuid Perl scripts.
ii ucf 1.13 Update Configuration File: preserv
ii wwwconfig-common 0.0.19 Debian web auto configuration.
---------------------------------------
Received: (at 290848-done) by bugs.debian.org; 5 May 2005 15:22:31 +0000
>From [EMAIL PROTECTED] Thu May 05 08:22:30 2005
Return-path: <[EMAIL PROTECTED]>
Received: from sorrow.cyrius.com [65.19.161.204]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DTiBJ-0008Si-00; Thu, 05 May 2005 08:22:29 -0700
Received: by sorrow.cyrius.com (Postfix, from userid 10)
id 5011464D4F; Thu, 5 May 2005 15:22:29 +0000 (UTC)
Received: by derision.cyrius.com (Postfix, from userid 1000)
id BCE9A780D0; Thu, 5 May 2005 16:22:20 +0100 (BST)
Date: Thu, 5 May 2005 16:22:20 +0100
From: Martin Michlmayr <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED]
Subject: Removed
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-1.0 required=4.0 tests=BAYES_00,ONEWORD,
SORTED_RECIPS autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
X-CrossAssassin-Score: 8
openwebmail has been removed from Debian because it had no Debian
maintainer and because it has a number of security holes.
--
Martin Michlmayr
http://www.cyrius.com/
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
