Your message dated Fri, 23 Jan 2009 20:47:31 +0000
with message-id <e1lqsw7-0002h2...@ries.debian.org>
and subject line Bug#511893: fixed in ucf 3.0012
has caused the Debian Bug report #511893,
regarding ucf stores diff (of private files) in debconf (world readable)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
511893: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511893
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: ucf
Version: 3.0011
Severity: grave
Tags: security
How to reproduce:
r...@vice:/tmp/ucftest# cat test1
password="secret";
user="root";
start="no";
foor="bar";
r...@vice:/tmp/ucftest#
Lets install it:
r...@vice:/tmp/ucftest# ucf test1 /tmp/ucftest/installed
Creating config file /tmp/ucftest/installed with new version
r...@vice:/tmp/ucftest#
Now we will change password from "secret" to "verysecret" :)
And will intall upgraded package :)
r...@vice:/tmp/ucftest# cat test2
password="secret";
user="root";
start="no";
foor="bar";
bar="foo";
r...@vice:/tmp/ucftest# ucf test2 /tmp/ucftest/installed
Replacing config file /tmp/ucftest/installed with new version
When ucf asks for comfirm I look at diff.
And now lets search trought debconf database /var/cache/debconf/config.dat:
OMG!
=====
Name: ucf/show_diff
Template: ucf/show_diff
Value:
Owners: ucf
Flags: seen
Variables:
DIFF = --- /tmp/ucftest/installed 2009-01-15 16:19:18.122649009 +0300\n+++
/tmp/ucftest/test2 2009-01-15 16:19:08.263149119 +0300\n@@ -1,4 +1,5
@@\n-password="verysecret";\n+password="secret";\n user="root";\n start="no";\n
foor="bar";\n+bar="foo";
=====
/var/cache/debconf/config.dat is world readable.
-- System Information:
Debian Release: 5.0
APT prefers testing-proposed-updates
APT policy: (700, 'testing-proposed-updates'), (700, 'testing'), (670,
'proposed-updates'), (670, 'stable'), (600, 'unstable'), (550, 'experimental')
Architecture: i386 (x86_64)
Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages ucf depends on:
ii coreutils 6.10-6 The GNU core utilities
ii debconf 1.5.24 Debian configuration management sy
ucf recommends no packages.
ucf suggests no packages.
-- debconf information:
* ucf/show_diff:
* ucf/changeprompt_threeway: install_new
ucf/title:
* ucf/changeprompt: install_new
--- End Message ---
--- Begin Message ---
Source: ucf
Source-Version: 3.0012
We believe that the bug you reported is fixed in the latest version of
ucf, which is due to be installed in the Debian FTP archive:
ucf_3.0012.dsc
to pool/main/u/ucf/ucf_3.0012.dsc
ucf_3.0012.tar.gz
to pool/main/u/ucf/ucf_3.0012.tar.gz
ucf_3.0012_all.deb
to pool/main/u/ucf/ucf_3.0012_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 511...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Manoj Srivastava <sriva...@debian.org> (supplier of updated ucf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 23 Jan 2009 11:48:09 -0600
Source: ucf
Binary: ucf
Architecture: source all
Version: 3.0012
Distribution: unstable
Urgency: low
Maintainer: Manoj Srivastava <sriva...@debian.org>
Changed-By: Manoj Srivastava <sriva...@debian.org>
Description:
ucf - Update Configuration File: preserve user changes to config files.
Closes: 511031 511893
Changes:
ucf (3.0012) unstable; urgency=low
.
* [29fbb69]: reset diff question after use so contents are not written to
disk
Debconf does not use world readable "temporary internal
files" as Manoj hypothesises. Data is only written to disk if it is
left in the debconf database when the frontend (ucf) exits.
Tightening the permissions on the debconf database would break
several things including use of debconf-show in reportbug.
.
From 27b3c41c531016ffa506987bf4a856345992a204
Mon Sep 17 00:00:00 2001
From: Joey Hess <j...@gnu.kitenet.net>
Date: Wed, 21 Jan 2009 13:03:55 -0500
Subject: [PATCH] reset diff question after use so contents are not
written to disk
Closes: Bug#511893
* [9eb5118]: ucf uses debconf even if called without --debconf-ok and hangs
ucf, even if is called without --debconf-ok, uses debconf and
hangs if db_stop had been already called, since it tries to load
/usr/share/debconf/confmodule and loads the ucf debconf templates.
This is a minimal change, and just moves the test of DEBCONF_OK
earlier. Thanks to Robert Luberda for the report and suggested fix.
Closes: Bug#511031
* [26a61b8]: Start issueing a diagnostic if ucf is forced to not use debconf
If ucf is called without the --debconf-ok switch, and
debconf is started, issue a diagnostic, and use old style promping
on the command line. This is a policy violation, and soon the non-
debconf prompting shall be removed.
* [3ce2104]: Rearrange code for readability, and add comment blocks
Signed-off-by: Manoj Srivastava <sriva...@debian.org>
Checksums-Sha1:
60ca7bda22124deee7ec9f90b5c273b2de6d425c 815 ucf_3.0012.dsc
00213395942058af8b23bc76365b8e823e7fa0df 89587 ucf_3.0012.tar.gz
6de9376f61346dada54bbf5d86ec9b42127aa7d3 63890 ucf_3.0012_all.deb
Checksums-Sha256:
201372fdae249979a0e15ce4069620e02c919f94094db3e5e5c8ef1cfc6d8277 815
ucf_3.0012.dsc
565c4809980fd3106813454d6dd655bca1e80a4b02e3376ea48cfb6e16d8da94 89587
ucf_3.0012.tar.gz
aaded55149d251ed520734ca31567e52b832a44f7ae739cd005f9aab17674619 63890
ucf_3.0012_all.deb
Files:
12b94ff06f4933576b700ffa9fdb2a11 815 utils optional ucf_3.0012.dsc
3b38f18d8bb5c4dcc56bb937df5d08d1 89587 utils optional ucf_3.0012.tar.gz
c74bc078764c9b99d992044f91db3923 63890 utils optional ucf_3.0012_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkl6IZkACgkQIbrau78kQkxI4wCggoa2qZFx6rA1QSmpQMQkcYoj
1xgAn3twNZm4rscQCfKTDf6qInVAQF/o
=apzp
-----END PGP SIGNATURE-----
--- End Message ---
