Debian Bug report logs -
#684619
[nullmailer] Debconf prompts for info that might contain password, saves to world-readable file (CVE-2013-4223)
Reported by: Aaron Schrab <aaron@schrab.com>
Date: Sat, 11 Aug 2012 22:09:02 UTC
Severity: serious
Tags: patch, security
Found in version nullmailer/1:1.11-1
Fixed in version nullmailer/1:1.11-2
Done: Nick Leverton <nick@leverton.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, secure-testing-team@lists.alioth.debian.org, Nick Leverton <nick@leverton.org>:
Bug#684619; Package nullmailer.
(Sat, 11 Aug 2012 22:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Aaron Schrab <aaron@schrab.com>:
New Bug report received and forwarded. Copy sent to secure-testing-team@lists.alioth.debian.org, Nick Leverton <nick@leverton.org>.
(Sat, 11 Aug 2012 22:09:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: nullmailer
Version: 1:1.11-1
Severity: serious
Tags: security
X-Debbugs-CC: secure-testing-team@lists.alioth.debian.org
--- Please enter the report below this line. ---
Durint installation, this package uses debconf to get information about how
mail should be delivered, giving examples that show how to specify a password
for an SMTP account. This information is then saved to
/etc/nullmailer/remotes which is readable by any account on the system.
--- System information. ---
Architecture: amd64
Kernel: Linux 3.2.0-3-amd64
Debian Release: wheezy/sid
500 unstable http.debian.net
--- Package information. ---
Depends (Version) | Installed
==============================-+-===============
libc6 (>= 2.4) | 2.13-35
libgnutls26 (>= 2.12.17-0) | 2.12.20-1
libstdc++6 (>= 4.1.1) | 4.7.1-6
debconf (>= 0.5) | 1.5.45
OR debconf-2.0 |
lsb-base | 4.1+Debian7
Recommends (Version) | Installed
================================-+-===========
rsyslog | 5.8.11-1+b1
OR system-log-daemon |
Package's Suggests field is empty.
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#684619; Package nullmailer.
(Mon, 13 Aug 2012 08:03:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Nick Leverton <nick@leverton.org>:
Extra info received and forwarded to list.
(Mon, 13 Aug 2012 08:03:05 GMT) (full text, mbox, link).
Message #10 received at 684619@bugs.debian.org (full text, mbox, reply):
Hi,
Thanks for the very good catch on this one. The package is ready to
upload but needs a sponsor. Would you be able to spare a bit more
time to upload the fix for me, please ? Source is dgettable from
http://mentors.debian.net/debian/pool/main/n/nullmailer/nullmailer_1.11-2.dsc
If you're busy then thanks for your valuable contribution to the package
already,
Nick Leverton
Debdiff:
diff -Nru nullmailer-1.11/debian/changelog nullmailer-1.11/debian/changelog
--- nullmailer-1.11/debian/changelog 2012-06-16 16:36:28.000000000 +0100
+++ nullmailer-1.11/debian/changelog 2012-08-11 23:55:36.000000000 +0100
@@ -1,3 +1,9 @@
+nullmailer (1:1.11-2) unstable; urgency=low
+
+ * Make 'remotes' not world-readable (Closes: #684619)
+
+ -- Nick Leverton <nick@leverton.org> Sat, 11 Aug 2012 23:54:55 +0100
+
nullmailer (1:1.11-1) unstable; urgency=low
* New upstream release
diff -Nru nullmailer-1.11/debian/postinst nullmailer-1.11/debian/postinst
--- nullmailer-1.11/debian/postinst 2012-05-16 08:25:36.000000000 +0100
+++ nullmailer-1.11/debian/postinst 2012-08-12 20:23:46.000000000 +0100
@@ -24,10 +24,14 @@
fi
db_get nullmailer/relayhost
+ # securely create nullmailer/remotes with mode 0600
+ R=$( tempfile -d /etc/nullmailer -p nullm )
echo "$RET" | sed -r -e ':a s/(\[[^]:]*):/\1=/; ta' \
-e 's/[[:space:]]*:[[:space:]]*/\n/g' \
-e ':b s/(\[[^]=]*)=/\1:/; tb' \
- -e 's/[][]//g' > /etc/nullmailer/remotes
+ -e 's/[][]//g' >> $R
+ chown mail:mail $R
+ mv $R /etc/nullmailer/remotes
db_get nullmailer/adminaddr
if [ "$RET" ]; then
Information forwarded
to debian-bugs-dist@lists.debian.org, Nick Leverton <nick@leverton.org>:
Bug#684619; Package nullmailer.
(Mon, 13 Aug 2012 15:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Aaron Schrab <aaron@schrab.com>:
Extra info received and forwarded to list. Copy sent to Nick Leverton <nick@leverton.org>.
(Mon, 13 Aug 2012 15:09:03 GMT) (full text, mbox, link).
Message #15 received at 684619@bugs.debian.org (full text, mbox, reply):
At 08:54 +0100 13 Aug 2012, Nick Leverton <nick@leverton.org> wrote:
>Thanks for the very good catch on this one. The package is ready to
>upload but needs a sponsor. Would you be able to spare a bit more
>time to upload the fix for me, please ?
Sorry I'm not a Debian Developer, so I can't upload packages.
Information forwarded
to debian-bugs-dist@lists.debian.org, Nick Leverton <nick@leverton.org>:
Bug#684619; Package nullmailer.
(Mon, 13 Aug 2012 17:48:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Bart Martens <bartm@debian.org>:
Extra info received and forwarded to list. Copy sent to Nick Leverton <nick@leverton.org>.
(Mon, 13 Aug 2012 17:48:05 GMT) (full text, mbox, link).
Message #20 received at 684619@bugs.debian.org (full text, mbox, reply):
Hi Nick,
Why not simply use touch and chmod ?
| touch file.txt
| chmod 600 file.txt
| echo secret > file.txt
Regards,
Bart Martens
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#684619; Package nullmailer.
(Mon, 13 Aug 2012 20:27:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Nick Leverton <nick@leverton.org>:
Extra info received and forwarded to list.
(Mon, 13 Aug 2012 20:27:06 GMT) (full text, mbox, link).
Message #25 received at 684619@bugs.debian.org (full text, mbox, reply):
On Mon, Aug 13, 2012 at 05:45:40PM +0000, Bart Martens wrote:
> Hi Nick,
>
> Why not simply use touch and chmod ?
>
> | touch file.txt
> | chmod 600 file.txt
> | echo secret > file.txt
It's still susceptible to reading, by someone opening the file inbetween
the touch and the chmod. Admittedly a much narrower window of insecurity
but still there.
Nick
Added tag(s) patch.
Request was from Nick Leverton <nick@leverton.org>
to control@bugs.debian.org.
(Fri, 17 Aug 2012 23:03:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Nick Leverton <nick@leverton.org>:
Bug#684619; Package nullmailer.
(Sat, 18 Aug 2012 21:06:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Vagrant Cascadian <vagrant@debian.org>:
Extra info received and forwarded to list. Copy sent to Nick Leverton <nick@leverton.org>.
(Sat, 18 Aug 2012 21:06:03 GMT) (full text, mbox, link).
Message #32 received at 684619@bugs.debian.org (full text, mbox, reply):
On Mon, Aug 13, 2012 at 08:54:52AM +0100, Nick Leverton wrote:
> Thanks for the very good catch on this one. The package is ready to
> upload but needs a sponsor. Would you be able to spare a bit more
> time to upload the fix for me, please ? Source is dgettable from
> http://mentors.debian.net/debian/pool/main/n/nullmailer/nullmailer_1.11-2.dsc
I could sponsor sometime in the next couple days, if you still haven't found a
sponsor.
live well,
vagrant
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#684619; Package nullmailer.
(Sun, 19 Aug 2012 01:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Nick Leverton <nick@leverton.org>:
Extra info received and forwarded to list.
(Sun, 19 Aug 2012 01:21:03 GMT) (full text, mbox, link).
Message #37 received at 684619@bugs.debian.org (full text, mbox, reply):
On Sat, Aug 18, 2012 at 01:53:20PM -0700, Vagrant Cascadian wrote:
> On Mon, Aug 13, 2012 at 08:54:52AM +0100, Nick Leverton wrote:
> > Thanks for the very good catch on this one. The package is ready to
> > upload but needs a sponsor. Would you be able to spare a bit more
> > time to upload the fix for me, please ? Source is dgettable from
> > http://mentors.debian.net/debian/pool/main/n/nullmailer/nullmailer_1.11-2.dsc
>
> I could sponsor sometime in the next couple days, if you still haven't found a
> sponsor.
Hi Vagrant,
Thankyou for offering, I'd be very happy for that whenever you have time.
Nick
Information forwarded
to debian-bugs-dist@lists.debian.org, Nick Leverton <nick@leverton.org>:
Bug#684619; Package nullmailer.
(Thu, 23 Aug 2012 15:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Bart Martens <bartm@debian.org>:
Extra info received and forwarded to list. Copy sent to Nick Leverton <nick@leverton.org>.
(Thu, 23 Aug 2012 15:09:03 GMT) (full text, mbox, link).
Message #42 received at 684619@bugs.debian.org (full text, mbox, reply):
Potential sponsors can find more recent information about the package to be
sponsored on RFS bug 684679.
Reply sent
to Nick Leverton <nick@leverton.org>:
You have taken responsibility.
(Sat, 15 Sep 2012 17:21:10 GMT) (full text, mbox, link).
Notification sent
to Aaron Schrab <aaron@schrab.com>:
Bug acknowledged by developer.
(Sat, 15 Sep 2012 17:21:10 GMT) (full text, mbox, link).
Message #47 received at 684619-close@bugs.debian.org (full text, mbox, reply):
Source: nullmailer
Source-Version: 1:1.11-2
We believe that the bug you reported is fixed in the latest version of
nullmailer, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 684619@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nick Leverton <nick@leverton.org> (supplier of updated nullmailer package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 21 Aug 2012 09:01:38 +0100
Source: nullmailer
Binary: nullmailer
Architecture: source amd64
Version: 1:1.11-2
Distribution: unstable
Urgency: low
Maintainer: Nick Leverton <nick@leverton.org>
Changed-By: Nick Leverton <nick@leverton.org>
Description:
nullmailer - simple relay-only mail transport agent
Closes: 684619
Changes:
nullmailer (1:1.11-2) unstable; urgency=low
.
* Make 'remotes' not world-readable (Closes: #684619)
Checksums-Sha1:
da8418627d9d1e299a2459419f8c6fab085f291f 1791 nullmailer_1.11-2.dsc
f51d2841bd9602a05f90d72d20238c2507886829 33198 nullmailer_1.11-2.debian.tar.gz
273e54e0ae7d46678a80f26e9a65f78c12b3b2d4 137124 nullmailer_1.11-2_amd64.deb
Checksums-Sha256:
92ea9daf7ecd4c8cdfca4b14901a30634111a8b6bb93a1ccec8eae919eb1241e 1791 nullmailer_1.11-2.dsc
c8dae45c2d5b2a9d8bf8dd6d19cbaf4d676ff1a11c9747a98e826170e705e830 33198 nullmailer_1.11-2.debian.tar.gz
49bc26710a2286413aa7c5af4031ce18a11d7720c9b9c947b607b79647770ff5 137124 nullmailer_1.11-2_amd64.deb
Files:
703d047ab35ba9d134934ae0a69b9225 1791 mail extra nullmailer_1.11-2.dsc
8801de5dfc534abe6383f1446118edca 33198 mail extra nullmailer_1.11-2.debian.tar.gz
000e32cf0a84bd967cc53e1da397e67a 137124 mail extra nullmailer_1.11-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIVAwUBUFSxzwkauFYGmqocAQiH7Q//Z9Pkcdul+fEF0y3bZiRP7Z11+90cDdhE
IeOgBBBkRRpaPYfvfVjGy73l0c7JQJaYUJSUQKA0KwM1C9Lq2YUAbRYPcIYqsr5A
Tg9jGDtamW4OmJPhoJKSW+Vt1fpOanG0VxP88xcYuGDVHdvBUr0nUdo7qX74tyRC
zT5duRwNQvJbCU+EKF9XqFl/t5Xvl0h/kYX807kT5wQfpsGvYD/LHrZCdewjG5ii
v4n5dN6udjIM1WdK+WUK/0A9tdQgBXERfQfm5XOZhX3L6t2K+kVW2pZPsdGhe+Yy
LvxyrpRihkAXO80fgrUo7rfjuYt51SfiKCD1gonkIIt+/BwFfYsVKA7A8OUHIDzB
01Xoa8EMuuiFv4JbK/n7M/29KKtgIq8QTKSGeGPXLcyGiZypkdPk0VuIBJOXXa6X
KfYRLV1zfgtGTIZTk9Emjr7Tt+4h/ZlMD/fBr7fn+KyA/+sLKR8ItU31REHZKM6N
kyohVFEfgLYmafvgv+ZDhxEPpZToI9PEJIYVpVDqPCAmcsuEfKBQAx+N5l4nRQE/
tLfloL1k03QZD0ctKCeb2njvUeUmj+m4fYWsuxdF4zceb6wC3XhwSiBTYpWOfC95
SN4XGB2lzYp2Wt0vVLQ7KftIY9bRoiMlUJb/J1fd+Aitdx9QVgAT98kpZMLJT6y0
ZYgfpi6DjCA=
=yIqa
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 24 Oct 2012 07:26:01 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 09 Aug 2013 20:24:04 GMT) (full text, mbox, link).
Changed Bug title to '[nullmailer] Debconf prompts for info that might contain password, saves to world-readable file (CVE-2013-4223)' from '[nullmailer] Debconf prompts for info that might contain password, saves to world-readable file'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 09 Aug 2013 20:24:05 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 07 Sep 2013 07:27:49 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 12:58:57 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon