Bug#684619: [nullmailer] Debconf prompts for info that might contain password, saves to world-readable file
Potential sponsors can find more recent information about the package to be sponsored on RFS bug 684679. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#684619: [nullmailer] Debconf prompts for info that might contain password, saves to world-readable file
On Mon, Aug 13, 2012 at 08:54:52AM +0100, Nick Leverton wrote: Thanks for the very good catch on this one. The package is ready to upload but needs a sponsor. Would you be able to spare a bit more time to upload the fix for me, please ? Source is dgettable from http://mentors.debian.net/debian/pool/main/n/nullmailer/nullmailer_1.11-2.dsc I could sponsor sometime in the next couple days, if you still haven't found a sponsor. live well, vagrant -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#684619: [nullmailer] Debconf prompts for info that might contain password, saves to world-readable file
On Sat, Aug 18, 2012 at 01:53:20PM -0700, Vagrant Cascadian wrote: On Mon, Aug 13, 2012 at 08:54:52AM +0100, Nick Leverton wrote: Thanks for the very good catch on this one. The package is ready to upload but needs a sponsor. Would you be able to spare a bit more time to upload the fix for me, please ? Source is dgettable from http://mentors.debian.net/debian/pool/main/n/nullmailer/nullmailer_1.11-2.dsc I could sponsor sometime in the next couple days, if you still haven't found a sponsor. Hi Vagrant, Thankyou for offering, I'd be very happy for that whenever you have time. Nick -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#684619: [nullmailer] Debconf prompts for info that might contain password, saves to world-readable file
Hi, Thanks for the very good catch on this one. The package is ready to upload but needs a sponsor. Would you be able to spare a bit more time to upload the fix for me, please ? Source is dgettable from http://mentors.debian.net/debian/pool/main/n/nullmailer/nullmailer_1.11-2.dsc If you're busy then thanks for your valuable contribution to the package already, Nick Leverton Debdiff: diff -Nru nullmailer-1.11/debian/changelog nullmailer-1.11/debian/changelog --- nullmailer-1.11/debian/changelog2012-06-16 16:36:28.0 +0100 +++ nullmailer-1.11/debian/changelog2012-08-11 23:55:36.0 +0100 @@ -1,3 +1,9 @@ +nullmailer (1:1.11-2) unstable; urgency=low + + * Make 'remotes' not world-readable (Closes: #684619) + + -- Nick Leverton n...@leverton.org Sat, 11 Aug 2012 23:54:55 +0100 + nullmailer (1:1.11-1) unstable; urgency=low * New upstream release diff -Nru nullmailer-1.11/debian/postinst nullmailer-1.11/debian/postinst --- nullmailer-1.11/debian/postinst 2012-05-16 08:25:36.0 +0100 +++ nullmailer-1.11/debian/postinst 2012-08-12 20:23:46.0 +0100 @@ -24,10 +24,14 @@ fi db_get nullmailer/relayhost + # securely create nullmailer/remotes with mode 0600 + R=$( tempfile -d /etc/nullmailer -p nullm ) echo $RET | sed -r -e ':a s/(\[[^]:]*):/\1=/; ta' \ -e 's/[[:space:]]*:[[:space:]]*/\n/g' \ -e ':b s/(\[[^]=]*)=/\1:/; tb' \ --e 's/[][]//g' /etc/nullmailer/remotes +-e 's/[][]//g' $R + chown mail:mail $R + mv $R /etc/nullmailer/remotes db_get nullmailer/adminaddr if [ $RET ]; then -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#684619: [nullmailer] Debconf prompts for info that might contain password, saves to world-readable file
At 08:54 +0100 13 Aug 2012, Nick Leverton n...@leverton.org wrote: Thanks for the very good catch on this one. The package is ready to upload but needs a sponsor. Would you be able to spare a bit more time to upload the fix for me, please ? Sorry I'm not a Debian Developer, so I can't upload packages. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#684619: [nullmailer] Debconf prompts for info that might contain password, saves to world-readable file
Hi Nick, Why not simply use touch and chmod ? | touch file.txt | chmod 600 file.txt | echo secret file.txt Regards, Bart Martens -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#684619: [nullmailer] Debconf prompts for info that might contain password, saves to world-readable file
On Mon, Aug 13, 2012 at 05:45:40PM +, Bart Martens wrote: Hi Nick, Why not simply use touch and chmod ? | touch file.txt | chmod 600 file.txt | echo secret file.txt It's still susceptible to reading, by someone opening the file inbetween the touch and the chmod. Admittedly a much narrower window of insecurity but still there. Nick -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#684619: [nullmailer] Debconf prompts for info that might contain password, saves to world-readable file
Package: nullmailer Version: 1:1.11-1 Severity: serious Tags: security X-Debbugs-CC: secure-testing-t...@lists.alioth.debian.org --- Please enter the report below this line. --- Durint installation, this package uses debconf to get information about how mail should be delivered, giving examples that show how to specify a password for an SMTP account. This information is then saved to /etc/nullmailer/remotes which is readable by any account on the system. --- System information. --- Architecture: amd64 Kernel: Linux 3.2.0-3-amd64 Debian Release: wheezy/sid 500 unstablehttp.debian.net --- Package information. --- Depends (Version) | Installed ==-+-=== libc6 (= 2.4) | 2.13-35 libgnutls26 (= 2.12.17-0) | 2.12.20-1 libstdc++6 (= 4.1.1) | 4.7.1-6 debconf (= 0.5) | 1.5.45 OR debconf-2.0| lsb-base | 4.1+Debian7 Recommends (Version) | Installed -+-=== rsyslog | 5.8.11-1+b1 OR system-log-daemon| Package's Suggests field is empty. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org