Package: ejabberd
Version: 15.03-1
Severity: normal
Hi.
There seem to be several issues when using special characters
in the debconf questions for the password of the admin user.
1) For example, the password:
3SN);&TI"qpNxD/4m3.3?*eK>7/vtH,Z
leads to the following error:
# dpkg-reconfigure ejabberd
The ejabberd database has been backed up to
/var/backups/ejabberd-2015-07-19T03:13:23.XQ8yvp/ejabberd-database.
Waiting for ejabberd to register admin user
sh: 1: Syntax error: ")" unexpected
Can't register admin user "user@host".
2) Things like
Cbfy=6Yi?mepN<Ow3!:>mBYJmBr7B<L[
Lead to:
# dpkg-reconfigure ejabberd
The ejabberd database has been backed up to
/var/backups/ejabberd-2015-07-19T03:20:25.2Ekt7H/ejabberd-database.
Waiting for ejabberd to register admin user
sh: 1: cannot open Ow3!:: No such file
Can't register admin user "r...@xmpp.srv.scientia.net".
So I guess parts of the passsword get actually executed :-/
3) And the classic:
!d0!bc1:Y{2W+>OfOgv^PA#O{5X9U
will actually create the file:
/var/lib/ejabberd/OfOgv^PA#O{5X9U
Since this is only executed as admin, I wouldn't classify it
as directly security relevant, though it can have bad consequences.
Best wishes,
Chris.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
