Your message dated Mon, 08 Mar 2021 22:33:29 +0000
with message-id <[email protected]>
and subject line Bug#984810: fixed in courier-authlib 0.71.1-2
has caused the Debian Bug report #984810,
regarding courier-authlib: authtest can access user data information from 
normal users accoun
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
984810: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=984810
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: courier-authlib
Version: 0.71.0-1
Tags: upstream security buster stretch bullseye
Justification: user security hole
Severity: grave
Usertags: security

The /usr/sbin/auth is a program that can test from a
installation setup if authlib daemon are working
without the complete courier suite installed
(for cluster or distributed environment as i made it)

Currently as normal user, it can be accessed
to users database if we setup mysql, postgres
or sqlite, inclusively ldap setups..  i mean,
a limited account can query users mail data
to made some kind of attack

This information is reveal from DB:

serveruno:$ authtest test
Authentication succeeded.

     Authenticated: test  (uid 244, gid 244)
    Home Directory: /home/users/intranetusers/test
           Maildir: /home/users/intranetusers/test/Maildir
             Quota: (none)
Encrypted Password: {MD5RAW}34ca4238a0b923820dcc509a6f75849b
Cleartext Password: 1
           Options: (none)

Of course clear password is a good practice do not store ..
but in intranets and corporate environments
knowed password are mandatory due management
of users..

In any case, this information is too open,
We used the authpasswd to check users db
setup is working on changes and upgrades

For this upgrade from a stable installation
to proper test lasted version before send this report,
the problem is present in all the versions of debian
packaged

I asked to upstream but is so obvious this problem
so i send to Debian,a sense solution is limit the
access to program (what i do):

chmod 750 /usr/sbin/authtest
chown courier:root /usr/sbin/authtest

i already ask to upstream but i dont know what SAm will think about it!

ADDITIONAL NOTE:  the  package that own the program is authlib.. this
is completely wrong.. cos important setup is not retrieved by
reportbug like the authdaemon setup files modified..  the
/usr/sbin/authenumerate /usr/sbin/authpasswd and /usr/sbin/authtest
must belong to authdaemon (to make sense)


Kernel: Linux 5.10.13-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=C
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages courier-authlib depends on:
ii  adduser     3.118
ii  libc6       2.31-9
ii  libgcc-s1    10.2.1-6
ii  libgdbm6    1.19-2
ii  libltdl7    2.4.6-15
ii  libpam0g    1.4.0-6
ii  libstdc++6  10.2.1-6

Versions of packages courier-authlib recommends:
pn  expect  <none>

courier-authlib suggests no packages.

-- no debconf information

--- End Message ---
--- Begin Message ---
Source: courier-authlib
Source-Version: 0.71.1-2
Done: Markus Wanner <[email protected]>

We believe that the bug you reported is fixed in the latest version of
courier-authlib, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Wanner <[email protected]> (supplier of updated courier-authlib package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 08 Mar 2021 23:11:08 +0100
Source: courier-authlib
Architecture: source
Version: 0.71.1-2
Distribution: unstable
Urgency: medium
Maintainer: Markus Wanner <[email protected]>
Changed-By: Markus Wanner <[email protected]>
Closes: 984810 984818
Changes:
 courier-authlib (0.71.1-2) unstable; urgency=medium
 .
   * Tighten permissions on /run/courier/authdaemon.  Closes: #984810.
   * Correct init script to be idempotent.  Closes: #984818.
   * Move binaries autpasswd, authtest, and authenumerate from
     courier-authlib to courier-authdaemon.  They require the
     daemon to run and are useless without it.
Checksums-Sha1:
 5e2c428da50c14298afd501ed77145ce3a69ba26 3754 courier-authlib_0.71.1-2.dsc
 125faa2b63e0c8c69c02d54e0e706be16a10fba0 18240 
courier-authlib_0.71.1-2.debian.tar.xz
 0911846994e6ab59940b02fd2b51b062983b5b39 8928 
courier-authlib_0.71.1-2_source.buildinfo
Checksums-Sha256:
 bccf640911e0213ea89bc63bcc33fe3300d3fd346b842a0abf595a1d5de4e2b5 3754 
courier-authlib_0.71.1-2.dsc
 cf5950cfaca97784373d727d7f2af9cada17b2da1cc72ca46387313d6c0b27a9 18240 
courier-authlib_0.71.1-2.debian.tar.xz
 b7624e88945e810394273c49182526d06cf244c4c84b5448edc35447cfe6ffac 8928 
courier-authlib_0.71.1-2_source.buildinfo
Files:
 e07d8e21e98c735c213d70d9f2efb61f 3754 mail optional 
courier-authlib_0.71.1-2.dsc
 0e73325fe7aedb485a8d8eb0daab979a 18240 mail optional 
courier-authlib_0.71.1-2.debian.tar.xz
 cbf3d46c08cfed45221661b8484b86d8 8928 mail optional 
courier-authlib_0.71.1-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQQzBAEBCgAdFiEE7WdiNgeE4zHiUwPWAlr+layd8xsFAmBGoTYACgkQAlr+layd
8xtiFSAAlam1QUhPpI4LPy3cRPt26Hc556rWhWj1MYK0sjXVPX1lbv2HLEfuR151
7Kx6SilYXvprYPYt8gODzUJGGS5UqdbTf747zfRd92jJm+qspztZiKAU1Wil4IWK
KlCK36oKusKwF4/PFqcQzqmPTnp+Xd9srvIvrioRxswUevGmhjRyNdMzsMJbOZWL
fF6gVABTVgnXugHQbiVQYKTGRNnWIQ6c1Q8WWuuefkq/gMlfjVfl4GDDkSJuXk0A
dgk6GoINIXzWe6WJvOghu82wngKi9scDPsDRna38ZEkLjYKhS15BRR4c9+/U/RXH
+XRpygF5LOvg8gjbenO+2+Ac6N3c00tL4+ZbGp24BlB7Ay8DjyqB7CtLrNUZl3/U
Yr8GlsSFG+msxgkluUYrusWjz97difmrfdGXKZFzTN9xcr8FPSR6oC5MAZLX4+Oz
D9s7lg43RaT4h7YN5R6htnuf4NHlJpOH0nMO2Z3izVROXlrEEozyX3mTKmYRWAYa
X9+nxXppgfIbWyZBJKi+NcmgL8Oveaf+V0ioYIh3vRXZ601SGwpCgQI+zo3Jf9Hh
xuoUv+5p9OK1ssoeRXZKKmHI2UDacwlHPbuPX4GzoYZvQr8YF514qpglifC+dLTN
hhaUGUSY5FcWOA7hyKGSl+8rZreXdQr6cPbXFBolugGx9bc4Wotiz1Ql4XmDqnrt
ptwHzx7RXoRz2hvFvYB9GxdnHNbgOiw05TZglX2twSe2Rt2BzBkJE4gcqyawtx2s
MTJ+nTjPEQtb3cBNFDkkUlOEfqCA0akVL4lGSpB2UHiXX7l5PD0OBhavBW8yJhYa
RZdDRLmj0e4STZb9BB0d5wYytpXCxJECWr6h1rB3BPz0jd0nKCXdTydwX1TUHnk5
CAAaTahtGj7qwfMA4vyvs2CQ/LFHXr9NSXrFumOYZkj3IlmkJsFp+NVBGESyQvzO
5yeabblXKsYy+N8hOrOswRjklAj9va0v7Yxk/OozWy9ztd0WcwscvoK3qEM/CFm2
TnuasVOo3pcHHAk7rrotER2HSs6WbMqmkHzYGEMc/ooi7Tul/cIkZby3nj/xK6CM
WgKDsGcfgI9Cn30qEr/2PYsF+A9NnoRfU7dKanyupNl96oZvV7cn0VlNaiBl68VA
dwuq4xR79JyMvq3SCMGH/lyKfmxmFKXlr39odI/BO0Cpuh24kWAKPyHcklopLLEZ
LdBEEkM7KgFS2r/BdnoohpRnDVO7ldeL5WP87QFvFLbItS0cl4pM8D1iR9F4wp/S
snZxqkkwtns3EAtKBeqMVnHSh1sMIBruFEdUOzeDrK5kP2oyp3vvue/XRc4XgM+j
ZuANgnHkoply3uRi8L0Tuab7l8X5Uw==
=HVVN
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to