found 511893 3.0014
thanks
On Fri, Jan 23, 2009 at 11:15:41AM -0600, Manoj Srivastava wrote:
> Joey Hess <jo...@debian.org> on Fri, 23 Jan 2009 11:14:12 -0600.
> The fix will be in the next upload.
> =========================================================================
> reset diff question after use so contents are not written to disk
Unfortunately this is not enough (or even needed): the sensitive
data is not stored in the value of ucf/show_diff, but in the DIFF
variable associated with it, as verified by e.g.
grep-dctrl -FName ucf/show_diff /var/cache/debconf/config.dat
Proposed patch attached.
--
Niko Tyni nt...@debian.org
>From 407408c564a864f9f433ced69c359b7d33a58a2f Mon Sep 17 00:00:00 2001
From: Niko Tyni <nt...@debian.org>
Date: Wed, 4 Feb 2009 00:06:26 +0200
Subject: [PATCH] Substitute the ucf/show_diff DIFF variable contents to protect sensitive data
> reset diff question after use so contents are not written to disk
Unfortunately this is not enough (or even needed): the sensitive
data is not stored in the value of ucf/show_diff, but in the DIFF
variable associated with it.
---
ucf | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/ucf b/ucf
index 883897b..b2f60da 100755
--- a/ucf
+++ b/ucf
@@ -78,6 +78,7 @@ show_diff() {
# may contain sensitive information, so clear
# immediatly after use so it is never written
# to disk
+ db_subst $templ DIFF ""
db_reset $templ
db_capb
else
--
1.5.6.5
