Bug#618026: ibid: Ibid 0.1.1 contains 3 security fixes
tag 618026 + pending thanks On Mon, 2011-09-26 at 12:34 +0200, Stefano Rivera wrote: Hi Adam (2011.09.22_20:20:54_+0200) Happy to add a NEWS entry, though. That sounds good; thanks. New debdiff attached. Please go ahead; thanks. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#618026: ibid: Ibid 0.1.1 contains 3 security fixes
On Mon, 2011-09-26 at 14:53 +0100, Adam D. Barratt wrote: tag 618026 + pending Hmmm, that should have been confirmed; saves me having to +pending now though, so never mind. On Mon, 2011-09-26 at 12:34 +0200, Stefano Rivera wrote: Hi Adam (2011.09.22_20:20:54_+0200) Happy to add a NEWS entry, though. That sounds good; thanks. New debdiff attached. Please go ahead; thanks. The upload happened, and I've just marked the package for acceptance at the next dinstall; thanks. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#618026: ibid: Ibid 0.1.1 contains 3 security fixes
On Wed, 2011-09-21 at 13:46 +0200, Stefano Rivera wrote: Hi Adam (2011.09.20_20:08:41_+0200) Yeah, I can see the problem. I just wonder if there's some way we can reduce the number of why can't I see my logs any more bugs as a result (preferably to none). There are few users that we know about, so I'm not massively concerned about this. Happy to add a NEWS entry, though. That sounds good; thanks. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#618026: ibid: Ibid 0.1.1 contains 3 security fixes
Hi Adam (2011.09.20_20:08:41_+0200) Yeah, I can see the problem. I just wonder if there's some way we can reduce the number of why can't I see my logs any more bugs as a result (preferably to none). There are few users that we know about, so I'm not massively concerned about this. Happy to add a NEWS entry, though. We could mention it explicitly in the point release announcement mail, but I'm not sure how many people actually read those. Don't think it's worth them mention, given what we know about our user base. SR -- Stefano Rivera http://tumbleweed.org.za/ H: +27 21 465 6908 C: +27 72 419 8559 UCT: x3127 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#618026: ibid: Ibid 0.1.1 contains 3 security fixes
Hi Adam (2011.09.17_18:09:13_+0200) If you're going to do that, you need to either (preferably) CC the receiving package on your mail, or send a separate mail. What tends to happen (as in this case) is that the control@ reassign gets processed after the rest of the mail has been received and the new package only gets the control@ output with no other information. Fair point, thanks :) One quick question - doesn't this change: +- logfile-visibility-567576.patch: Channels must be explicitly configured + to have publicly readable logs. (LP: #567576) have the potential to at least confuse users who are expecting the logs to be created in a publicly readable manner? Yes. This was the simplest fix to the problem, and probably how things should have been from the start. I don't think there is a regression-free fix to the bug, as the bot cannot know whether it is speaking to a public channel or a private message, when it speaks first. (Even on IRC, not all channels are required to have names starting with #) SR -- Stefano Rivera http://tumbleweed.org.za/ H: +27 21 465 6908 C: +27 72 419 8559 UCT: x3127 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#618026: ibid: Ibid 0.1.1 contains 3 security fixes
On Tue, 2011-09-20 at 12:33 +0200, Stefano Rivera wrote: Hi Adam (2011.09.17_18:09:13_+0200) One quick question - doesn't this change: +- logfile-visibility-567576.patch: Channels must be explicitly configured + to have publicly readable logs. (LP: #567576) have the potential to at least confuse users who are expecting the logs to be created in a publicly readable manner? Yes. This was the simplest fix to the problem, and probably how things should have been from the start. I don't think there is a regression-free fix to the bug, as the bot cannot know whether it is speaking to a public channel or a private message, when it speaks first. (Even on IRC, not all channels are required to have names starting with #) Yeah, I can see the problem. I just wonder if there's some way we can reduce the number of why can't I see my logs any more bugs as a result (preferably to none). We could mention it explicitly in the point release announcement mail, but I'm not sure how many people actually read those. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#618026: ibid: Ibid 0.1.1 contains 3 security fixes
tag 618026 + squeeze moreinfo - upstream patch security retitle 618026 pu: package ibid/0.1.0+dfsg-2+squeeze1 thanks On Wed, 2011-09-07 at 22:07 +0200, Stefano Rivera wrote: reassign 618026 release.debian.org If you're going to do that, you need to either (preferably) CC the receiving package on your mail, or send a separate mail. What tends to happen (as in this case) is that the control@ reassign gets processed after the rest of the mail has been received and the new package only gets the control@ output with no other information. Ibid 0.1.1 fixes 3 security issues [0]. They aren't particularly serious, but should probably be addressed. Right, clearly not significant enough for the usual security route. Here's a stable targeted debdiff, with an additional fix. Thanks for working on this. One quick question - doesn't this change: +- logfile-visibility-567576.patch: Channels must be explicitly configured + to have publicly readable logs. (LP: #567576) have the potential to at least confuse users who are expecting the logs to be created in a publicly readable manner? Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#618026: ibid: Ibid 0.1.1 contains 3 security fixes
reassign 618026 release.debian.org severity 618026 normal user release.debian@packages.debian.org usertags 618026 pu thanks Ibid 0.1.1 fixes 3 security issues [0]. They aren't particularly serious, but should probably be addressed. Right, clearly not significant enough for the usual security route. Here's a stable targeted debdiff, with an additional fix. Meh, should have done this months ago... SR -- Stefano Rivera http://tumbleweed.org.za/ H: +27 21 465 6908 C: +27 72 419 8559 UCT: x3127 diff -Nru ibid-0.1.0+dfsg/debian/changelog ibid-0.1.0+dfsg/debian/changelog --- ibid-0.1.0+dfsg/debian/changelog2010-06-17 19:23:31.0 +0200 +++ ibid-0.1.0+dfsg/debian/changelog2011-09-07 22:06:04.0 +0200 @@ -1,3 +1,18 @@ +ibid (0.1.0+dfsg-2+squeeze1) stable; urgency=medium + + * Fix the following security issues. Fixes backported from 0.1.1 bugfix +release (Closes: #618026): +- perms-705860.patch: Enforce access-restriction on handlers without + @match patterns. (LP: #705860) +- logfile-visibility-567576.patch: Channels must be explicitly configured + to have publicly readable logs. (LP: #567576) +- meeting-privacy-649383.patch: Don't report private messages from the bot + in meeting minutes. (LP: #649383) + * http-features-fix-545168.patch: Fix the breakage of the http source +(LP: #545168) + + -- Stefano Rivera stefa...@debian.org Wed, 07 Sep 2011 22:06:04 +0200 + ibid (0.1.0+dfsg-2) unstable; urgency=low * Don't leak uid and umask into source tarball. diff -Nru ibid-0.1.0+dfsg/debian/control ibid-0.1.0+dfsg/debian/control --- ibid-0.1.0+dfsg/debian/control 2010-06-17 16:17:56.0 +0200 +++ ibid-0.1.0+dfsg/debian/control 2011-09-07 21:58:14.0 +0200 @@ -2,7 +2,7 @@ Section: net Priority: optional Maintainer: Debian Python Modules Team python-modules-t...@lists.alioth.debian.org -Uploaders: Stefano Rivera stef...@rivera.za.net +Uploaders: Stefano Rivera stef...@debian.org Build-Depends: debhelper (= 7.0.50~), python-central (= 0.6.7~), python-all, python-beautifulsoup, python-configobj (= 4.7), python-dateutil, python-html5lib, python-jinja, python-pkg-resources, python-setuptools, diff -Nru ibid-0.1.0+dfsg/debian/patches/http-features-fix-545168.patch ibid-0.1.0+dfsg/debian/patches/http-features-fix-545168.patch --- ibid-0.1.0+dfsg/debian/patches/http-features-fix-545168.patch 1970-01-01 02:00:00.0 +0200 +++ ibid-0.1.0+dfsg/debian/patches/http-features-fix-545168.patch 2011-09-07 21:46:31.0 +0200 @@ -0,0 +1,27 @@ +Description: Fix HTTP source + Update HTTP source for multiple features per processor. + This was a change just befor 0.1.0, which broke http. +Origin: upstream, https://code.launchpad.net/~mgorven/ibid/http-features-fix/+merge/21945 +Bug-Upstream: https://bugs.launchpad.net/ibid/+bug/545168 +Last-Update: 2011-09-07 + +--- a/ibid/plugins/__init__.py b/ibid/plugins/__init__.py +@@ -262,7 +262,7 @@ + isLeaf = True + + def __init__(self): +-ibid.rpc[self.feature] = self ++ibid.rpc[self.feature[0]] = self + self.form = templates.get_template('plugin_form.html') + self.list = templates.get_template('plugin_functions.html') + +@@ -309,7 +309,7 @@ + if name.startswith('remote_'): + functions.append(name.replace('remote_', '', 1)) + +-return self.list.render(object=self.feature, functions=functions) \ ++return self.list.render(object=self.feature[0], functions=functions) \ + .encode('utf-8') + + args, varargs, varkw, defaults = getargspec(function) diff -Nru ibid-0.1.0+dfsg/debian/patches/logfile-visibility-567576.patch ibid-0.1.0+dfsg/debian/patches/logfile-visibility-567576.patch --- ibid-0.1.0+dfsg/debian/patches/logfile-visibility-567576.patch 1970-01-01 02:00:00.0 +0200 +++ ibid-0.1.0+dfsg/debian/patches/logfile-visibility-567576.patch 2011-09-07 21:39:38.0 +0200 @@ -0,0 +1,85 @@ +Description: Channels must be explicitly configured to have publicly readable logs. + Occasionally insecure permissions on log files. When the bot spoke first + (creating a new log file), the log file would be publicly readable, even if + the message was sent in private. + . + Resolution: Now channels must be explicitly configured to have publicly + readable logs. +Bug-Upstream: https://bugs.launchpad.net/ibid/+bug/567576 +Origin: upstream, https://code.launchpad.net/~stefanor/ibid/logfile-visibility-567576-0.1/+merge/36937 +Last-Update: 2011-03-13 + +--- a/ibid/plugins/log.py b/ibid/plugins/log.py +@@ -4,6 +4,8 @@ + Logs messages sent and received. + + from datetime import datetime ++import fnmatch ++import logging + from os.path import dirname, join, expanduser + from os import chmod, makedirs + +@@ -11,9 +13,11 @@ + + import ibid + from ibid.plugins import Processor, handler +-from ibid.config import Option,
Bug#618026: ibid: Ibid 0.1.1 contains 3 security fixes
Package: ibid Version: 0.1.0+dfsg-2 Severity: serious Tags: security upstream patch Ibid 0.1.1 fixes 3 security issues [0]. They aren't particularly serious, but should probably be addressed. [0]: http://ibid.omnia.za.net/docs/0.1.0/changes.html#release-0-1-1-pimpernel-2011-02-24 Remote Execution: http://bugs.launchpad.net/bugs/705860 Permissions were ignored for handlers not using @match. This allowed users to perform actions they were not authorised to. However, no included plugins were exposed by this, all access-restricted handlers had match patterns. Information Disclosure: http://bugs.launchpad.net/bugs/567576 Occasionally insecure permissions on log files. When the bot spoke first (creating a new log file), the log file would be publicly readable, even if the message was sent in private. Example: If the bot delivered a privmsg memo to a user at the beginning of the month, it would create the logfile with public readable permissions. If the logfile directory was published by a web server, this would make this private conversation log accessible to the public. Resolution: Now channels must be explicitly configured to have publicly readable logs. http://bugs.launchpad.net/649383 If someone received a private message from the bot during a public meeting, the message could appear in the meeting minutes. Example: a privmsg memo received during a meeting would appear in the minutes. Proposed debdiff with backported fixes attached. SR -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores) Locale: LANG=en_ZA.UTF-8, LC_CTYPE=en_ZA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages ibid depends on: ii libjs-jquery1.5.1-1 JavaScript library for dynamic web ii python 2.6.6-3+squeeze5 interactive high-level object-orie ii python-beautifulsoup3.2.0-1 error-tolerant HTML parser for Pyt ii python-chardet 2.0.1-1 universal character encoding detec ii python-configobj4.7.2+ds-1 simple but powerful config file re ii python-dateutil 1.4.1-3 powerful extensions to the standar ii python-html5lib 0.90-1 HTML parser/tokenizer based on the ii python-jinja1.2-3+b1 small but fast and easy to use sta ii python-pkg-resources0.6.14-5 Package Discovery and Resource Acc ii python-soappy 0.12.0-4 SOAP Support for Python ii python-sqlalchemy 0.6.3-3 SQL toolkit and Object Relational ii python-twisted-core 10.2.0-1 Event-based framework for internet ii python-twisted-web 10.2.0-1 An HTTP protocol implementation to ii python-twisted-words10.2.0-1 Chat and Instant Messaging ii python-zope.interface [ 3.5.3-1+b1 Interfaces for Python ii python2.5 2.5.5-11 An interactive high-level object-o ii python2.6 2.6.6-8+b1 An interactive high-level object-o Versions of packages ibid recommends: ii fortune-mod [fortune] 1:1.99.1-4 provides fortune cookies on demand ii ipcalc 0.41-2 parameter calculator for IPv4 addr ii iputils-ping3:20101006-1 Tools to test the reachability of ii iputils-tracepath 3:20101006-1 Tools to trace the network path to ii man-db 2.5.9-4 on-line manual pager ii python-dictclient 1.0.3.1 Python client library for DICT (RF ii python-dnspython1.8.0-1 DNS toolkit for Python ii python-feedparser 4.1-14 Universal Feed Parser for Python pn python-html2textnone (no description available) ii python-imdbpy 4.7.0-1 Python package to access the IMDb' ii python-twisted-mail 10.2.0-1 An SMTP, IMAP and POP protocol imp ii python-wokkel 0.6.3-2 collection of enhancements for Twi ii units 1.87-2 converts between different systems Versions of packages ibid suggests: ii apt-file 2.4.2 search for files within Debian pac ii aptitude 0.6.3-3.2 terminal-based package manager (te ii bc 1.06.95-2 The GNU bc arbitrary precision cal ii bzr2.3.0-6 easy to use distributed version co ii caca-utils 0.99.beta17-1 text mode graphics utilities ii dictd 1.12.0+dfsg-3 dictionary server ii nmap 5.21-1The Network Mapper ii python-aalib 0.2-1 Python interface to AAlib, an ASCI ii python-dbus0.83.1-1 simple interprocess messaging syst ii