Bug#665696: marked as done (gosa-sync breaks on passwords containing spaces)

Debian Bug Tracking System Mon, 15 Jul 2013 03:37:20 -0700

Your message dated Mon, 15 Jul 2013 12:32:57 +0200
with message-id <[email protected]>
and subject line done
has caused the Debian Bug report #665696,
regarding gosa-sync breaks on passwords containing spaces
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
665696: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665696
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

package: debian-edu-config
severity: important
version: squeeze/r0

spaces need adequate quoting of the password variable in both gosa-sync and gosa.conf.

It is also very likely a security hazard in letting the user-supplied password string unquoted in those two files, whence severity=important.


following patch just adds the quoting, and was verified to fix the issue.


--
Samuel Krempp

--- /etc/gosa/gosa.conf.befSK   2012-03-25 09:45:33.000000000 +0200
+++ /etc/gosa/gosa.conf 2012-03-25 09:50:10.000000000 +0200
@@ -44,7 +44,7 @@
       <plugin acl="users/phoneAccount:self" class="phoneAccount"/>
       <plugin acl="users/nagiosAccount:self" class="nagiosAccount"/>
       <plugin acl="users/scalixAccount:self" class="scalixAccount"/>
-      <plugin acl="users/password:self" class="password" 
postmodify="USERPASSWORD=%userPassword /usr/bin/sudo 
/usr/share/debian-edu-config/tools/gosa-sync %dn"/>
+      <plugin acl="users/password:self" class="password" 
postmodify="USERPASSWORD=&quot;%userPassword&quot; /usr/bin/sudo 
/usr/share/debian-edu-config/tools/gosa-sync %dn"/>
     </section>

     <!-- Section to enable administrative services -->
--- /usr/share/debian-edu-config/tools/gosa-sync.orig   2012-03-25 
09:28:32.000000000 +0200
+++ /usr/share/debian-edu-config/tools/gosa-sync        2012-03-25 
09:56:04.000000000 +0200
@@ -15,7 +15,6 @@
 ## principal's one.

 RETVAL=0
-
 USERDN=$1
 USERID=`echo $USERDN | sed "s/^uid=\([^,]*\),.*$/\1/"`

@@ -30,7 +29,7 @@
 IAM=`ldapwhoami -x -Z -y $TMPFILE -D $USERDN 2>/dev/null || true`
 if [ "$IAM" = "dn:$USERDN" ] ; then
     cat > $TMPFILE <<EOF
-change_password -pw $USERPASSWORD $USERID
+change_password -pw "$USERPASSWORD" $USERID
 EOF
     cat $TMPFILE  | kadmin.local 2>&1 | logger -t gosa-sync -p notice
     logger -t gosa-sync -p notice Kerberos password for \'$USERID\' changed.

--- End Message ---

--- Begin Message ---
version: 1.454

done since a long time...
signature.asc
Description: This is a digitally signed message part.

--- End Message ---

Bug#665696: marked as done (gosa-sync breaks on passwords containing spaces)

Reply via email to