Package: ucf Version: 3.0011 Severity: grave Tags: security How to reproduce: r...@vice:/tmp/ucftest# cat test1 password="secret"; user="root"; start="no"; foor="bar"; r...@vice:/tmp/ucftest#
Lets install it: r...@vice:/tmp/ucftest# ucf test1 /tmp/ucftest/installed Creating config file /tmp/ucftest/installed with new version r...@vice:/tmp/ucftest# Now we will change password from "secret" to "verysecret" :) And will intall upgraded package :) r...@vice:/tmp/ucftest# cat test2 password="secret"; user="root"; start="no"; foor="bar"; bar="foo"; r...@vice:/tmp/ucftest# ucf test2 /tmp/ucftest/installed Replacing config file /tmp/ucftest/installed with new version When ucf asks for comfirm I look at diff. And now lets search trought debconf database /var/cache/debconf/config.dat: OMG! ===== Name: ucf/show_diff Template: ucf/show_diff Value: Owners: ucf Flags: seen Variables: DIFF = --- /tmp/ucftest/installed 2009-01-15 16:19:18.122649009 +0300\n+++ /tmp/ucftest/test2 2009-01-15 16:19:08.263149119 +0300\n@@ -1,4 +1,5 @@\n-password="verysecret";\n+password="secret";\n user="root";\n start="no";\n foor="bar";\n+bar="foo"; ===== /var/cache/debconf/config.dat is world readable. -- System Information: Debian Release: 5.0 APT prefers testing-proposed-updates APT policy: (700, 'testing-proposed-updates'), (700, 'testing'), (670, 'proposed-updates'), (670, 'stable'), (600, 'unstable'), (550, 'experimental') Architecture: i386 (x86_64) Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores) Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages ucf depends on: ii coreutils 6.10-6 The GNU core utilities ii debconf 1.5.24 Debian configuration management sy ucf recommends no packages. ucf suggests no packages. -- debconf information: * ucf/show_diff: * ucf/changeprompt_threeway: install_new ucf/title: * ucf/changeprompt: install_new -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
