Your message dated Fri, 06 Feb 2009 21:47:02 +0000
with message-id <e1lvyxo-00089o...@ries.debian.org>
and subject line Bug#511893: fixed in ucf 3.0016
has caused the Debian Bug report #511893,
regarding ucf stores diff (of private files) in debconf (world readable)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
511893: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511893
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: ucf
Version: 3.0011
Severity: grave
Tags: security
How to reproduce:
r...@vice:/tmp/ucftest# cat test1
password="secret";
user="root";
start="no";
foor="bar";
r...@vice:/tmp/ucftest#
Lets install it:
r...@vice:/tmp/ucftest# ucf test1 /tmp/ucftest/installed
Creating config file /tmp/ucftest/installed with new version
r...@vice:/tmp/ucftest#
Now we will change password from "secret" to "verysecret" :)
And will intall upgraded package :)
r...@vice:/tmp/ucftest# cat test2
password="secret";
user="root";
start="no";
foor="bar";
bar="foo";
r...@vice:/tmp/ucftest# ucf test2 /tmp/ucftest/installed
Replacing config file /tmp/ucftest/installed with new version
When ucf asks for comfirm I look at diff.
And now lets search trought debconf database /var/cache/debconf/config.dat:
OMG!
=====
Name: ucf/show_diff
Template: ucf/show_diff
Value:
Owners: ucf
Flags: seen
Variables:
DIFF = --- /tmp/ucftest/installed 2009-01-15 16:19:18.122649009 +0300\n+++
/tmp/ucftest/test2 2009-01-15 16:19:08.263149119 +0300\n@@ -1,4 +1,5
@@\n-password="verysecret";\n+password="secret";\n user="root";\n start="no";\n
foor="bar";\n+bar="foo";
=====
/var/cache/debconf/config.dat is world readable.
-- System Information:
Debian Release: 5.0
APT prefers testing-proposed-updates
APT policy: (700, 'testing-proposed-updates'), (700, 'testing'), (670,
'proposed-updates'), (670, 'stable'), (600, 'unstable'), (550, 'experimental')
Architecture: i386 (x86_64)
Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages ucf depends on:
ii coreutils 6.10-6 The GNU core utilities
ii debconf 1.5.24 Debian configuration management sy
ucf recommends no packages.
ucf suggests no packages.
-- debconf information:
* ucf/show_diff:
* ucf/changeprompt_threeway: install_new
ucf/title:
* ucf/changeprompt: install_new
--- End Message ---
--- Begin Message ---
Source: ucf
Source-Version: 3.0016
We believe that the bug you reported is fixed in the latest version of
ucf, which is due to be installed in the Debian FTP archive:
ucf_3.0016.dsc
to pool/main/u/ucf/ucf_3.0016.dsc
ucf_3.0016.tar.gz
to pool/main/u/ucf/ucf_3.0016.tar.gz
ucf_3.0016_all.deb
to pool/main/u/ucf/ucf_3.0016_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 511...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Manoj Srivastava <sriva...@debian.org> (supplier of updated ucf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 06 Feb 2009 13:48:44 -0600
Source: ucf
Binary: ucf
Architecture: source all
Version: 3.0016
Distribution: unstable
Urgency: low
Maintainer: Manoj Srivastava <sriva...@debian.org>
Changed-By: Manoj Srivastava <sriva...@debian.org>
Description:
ucf - Update Configuration File: preserve user changes to config files.
Closes: 511893 514071
Changes:
ucf (3.0016) unstable; urgency=low
.
* [bd1dfcb]: Substitute the ucf/show_diff DIFF variable contents to
protect sensitive data. The previous fix said "reset diff question
after use so contents are not written to disk". Unfortunately this is
not enough (or even needed): the sensitive data is not stored in the
value of ucf/show_diff, but in the DIFF variable associated with it.
Bug fix: "ucf stores diff (of private files) in debconf (world readable)"
Closes: Bug#511893 Author: Niko Tyni <nt...@debian.org>
* [f5cbbdf]: Show the differences on the first try
Until 3.0012, ucf/show_diff was reset just before showing it to the
user. This would unset the 'seen' flag properly. However, moving the
db_reset call after db_input made the latter skip the note on the
first time if the 'seen' flag was already set. To make things worse,
Debconf::ConfModule::finish() sets the 'seen' flag for all the
questions it has handled before exiting, so the flag was always true
after debconf exited. Simply unsetting the flag before db_input fixes
this.
Bug fix: "skips differences on the first try", thanks to Niko Tyni
(Closes: #514071).
* [debiandir:dce60af]: Update the location of the copyright file
Since I have not elected to license this under later versions of the
GPL, the license link in the copyright fle must change.
* Updated lintian overrides to shut lintian up.
Checksums-Sha1:
dc7ad3e2bf470bae1456858dbe7580ff509216ca 815 ucf_3.0016.dsc
b295d340cc7d703ec737d1c176c6c85249508085 91215 ucf_3.0016.tar.gz
1fb8515bd235cbd8db9a354b2d8d95d9a92f89bb 64386 ucf_3.0016_all.deb
Checksums-Sha256:
957587403f8865e21815d08c35f3f162836e6b132e98391dd00b341149c33b2e 815
ucf_3.0016.dsc
d7a73069f7dbd2b69825f4481f62184b3f145306f744ec1f9d5acd8f5cbf707a 91215
ucf_3.0016.tar.gz
98340ee575368481c158790fbac71b2269cf15c1cc7f450d52b702f95587396d 64386
ucf_3.0016_all.deb
Files:
92a9aaf63cd47ac635f61d749c451169 815 utils optional ucf_3.0016.dsc
2999687d5050fbf1e3a92808d713c4a5 91215 utils optional ucf_3.0016.tar.gz
e31eae9f2016a9f40540e596098b90f0 64386 utils optional ucf_3.0016_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkmMrcsACgkQIbrau78kQkw3TACg5xVLsVJGOOhoxRDskMjANOW8
pOwAoJiawxXHho0/mhrqSUA0GhecIJ8p
=tdVh
-----END PGP SIGNATURE-----
--- End Message ---
