Bug#998206: marked as done (calendar: cronjob processes all users’ calendars as root, allowing information disclosure)

Mon, 20 Feb 2023 01:51:22 -0800 

Your message dated Mon, 20 Feb 2023 09:48:55 +0000
with message-id <e1pu2n1-000b28...@fasolo.debian.org>
and subject line Bug#998206: fixed in bsdmainutils 12.1.8
has caused the Debian Bug report #998206,
regarding calendar: cronjob processes all users’ calendars as root, allowing 
information disclosure
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
998206: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998206
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: calendar
Version: 12.1.7+nmu3
Severity: serious
Tags: security
Justification: security
X-Debbugs-Cc: t...@mirbsd.de, Debian Security Team <t...@security.debian.org>

I was wondering how Debian’s calendar(1) packaging handled the
setusercontext(3) part, and after finding d/p/calendar_cap.diff
I see it just… does away with it õÕ

This allows wonderful information disclosure:

tglase@tglase-nb:~ $ cat .calendar/calendar 
Nov 01  Allerheiligen
#define Def Nov 01
#define Job Nov 01
#define Mem Nov 01
#define Usr Nov 01
#include "/root/.toprc"
tglase@tglase-nb:~ $ cat /root/.toprc
cat: /root/.toprc: Permission denied

↓       ↓       ↓

From: Reminder Service <tgl...@tglase-nb.lan.tarent.de>
Message-ID: <20211031232839.c72361c3...@tglase-nb.lan.tarent.de>
To: tgl...@tglase-nb.lan.tarent.de
Date: Mon,  1 Nov 2021 00:28:39 +0100 (CET)
Subject: Monday's Calendar

Nov 01  Allerheiligen
Nov 01  fieldscur=AEhIOQTrspvuWbcdfgjyzlKNMX
        winflags=65208, sortindx=10, maxtasks=0
        summclr=6, msgsclr=6, headclr=7, taskclr=7
Nov 01  fieldscur=ABcefgjlrstuvyzMKNHIWOPQDX
        winflags=62776, sortindx=0, maxtasks=0
        summclr=6, msgsclr=6, headclr=7, taskclr=6
Nov 01  fieldscur=ANOPQRSTUVbcdefgjlmyzWHIKX
        winflags=62776, sortindx=13, maxtasks=0
        summclr=5, msgsclr=5, headclr=4, taskclr=5
Nov 01  fieldscur=ABDECGfhijlopqrstuvyzMKNWX
        winflags=62776, sortindx=4, maxtasks=0
        summclr=3, msgsclr=3, headclr=2, taskclr=3


This is *mildly* mitigated by the fact that you can only extract
contents of files that start with a cpp-able string *and* contain
a tab somewhere after that (because calendar(1) does not call cpp(1)
with -traditional-cpp, which is another minor bug in the port), but
I believe people can and will find creative ways to extract more.

/root/.wget-hsts can be used to see whether a given host was already
contacted, for example.

-- System Information:
Debian Release: 11.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 
'stable-debug'), (500, 'oldstable-updates'), (500, 'oldoldstable'), (500, 
'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-8-amd64 (SMP w/2 CPU threads)
Kernel taint flags: TAINT_WARN
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/lksh
Init: sysvinit (via /sbin/init)

Versions of packages calendar depends on:
ii  cpp      4:10.2.1-1
ii  libbsd0  0.11.3-1
ii  libc6    2.31-13+deb11u2

calendar recommends no packages.

calendar suggests no packages.

-- Configuration Files:
/etc/cron.daily/calendar changed:
. /etc/default/calendar
[ x$RUN_DAILY = xtrue ] || exit 0
[ -x /usr/sbin/sendmail ] || exit 0
if [ ! -x /usr/bin/cpp ]; then
  echo "The cpp package is needed to run calendar."
  exit 1
fi
/usr/bin/calendar -a

/etc/default/calendar changed:
RUN_DAILY=true


-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: bsdmainutils
Source-Version: 12.1.8
Done: Michael Meskes <mes...@debian.org>

We believe that the bug you reported is fixed in the latest version of
bsdmainutils, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 998...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Meskes <mes...@debian.org> (supplier of updated bsdmainutils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 20 Feb 2023 10:19:03 +0100
Source: bsdmainutils
Architecture: source
Version: 12.1.8
Distribution: unstable
Urgency: medium
Maintainer: Debian Bsdmainutils Team <pkg-bsdmainut...@teams.debian.net>
Changed-By: Michael Meskes <mes...@debian.org>
Closes: 989688 998206 1004751 1030808
Changes:
 bsdmainutils (12.1.8) unstable; urgency=medium
 .
   * Drop root privileges before opening calendar files. (Closes: #998206)
   * Remove freebsd.h which is not really used in the compile process but is
     causing FTBFS on musl.
     (Closes: #989688)
   * Fixed unicode error in calendar file (Closes: #1030808)
   * Removed Ubuntu calendar (Closes: #1004751)
   * Bumped Standards-Version to 4.6.2, no changes needed.
Checksums-Sha1:
 fb90b401d76e4a1286139bf65afc6c7ae4f881ce 1759 bsdmainutils_12.1.8.dsc
 8baf646115b48f2e84eaf58861c73c7b30c709ca 172636 bsdmainutils_12.1.8.tar.xz
 024ccedc1fcf8b3beeffb251404af5b0c98e50e0 7191 
bsdmainutils_12.1.8_amd64.buildinfo
Checksums-Sha256:
 514ce88f4fe0393dbd5dbbe546c382b53d1b2b547f07e58a29c9ac3f0c1a2bd2 1759 
bsdmainutils_12.1.8.dsc
 9e3e693b2f8ca4f3f10f0d154dac092e6251f12dc782a069a22a48c92d11bcbf 172636 
bsdmainutils_12.1.8.tar.xz
 2ea6adec667e587e1cfe9d0748522089328c3118e408ff60e13db4145f1eaa96 7191 
bsdmainutils_12.1.8_amd64.buildinfo
Files:
 5efcc86d12a786c942a56756837568b0 1759 utils optional bsdmainutils_12.1.8.dsc
 d2052390881d5d0089aeeb6e6cf0117c 172636 utils optional 
bsdmainutils_12.1.8.tar.xz
 6931d56ec3f4c42ed2cc978709da1fb5 7191 utils optional 
bsdmainutils_12.1.8_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEZ/2RWVGI6sRsEOjtNdhXwLvLOyUFAmPzPm4ACgkQNdhXwLvL
OyVnCA/+JhgBGnqMxjUgJ4SWB6yAe0uYBtd7z16mNrJBEAiVaadVmF7KMpZrLy90
u+XaIiZ2q/tRf+jekbJI7QRig9i1x2le6eMISf90Oe75/rLP1Se1dtQkKT+p7CEO
amkBnFzAz9klu/XPW3kb95kLpCtV5llQxt4PnW4TcNC91qxLY9LedhN0qadhKOTz
AklnQec8ye9YRnvE+At5HWyH4fRPfmW83cU6+eCn2x+NmSQBTIhUVpkp0c9trhV7
rBMPOHYaDtdFk4OaGQcjWqmoHWgMejyqomUpyjIoLGu6VsIZApxcPYBdukxWP5hu
mDqoyL3YaYXknyV6Bl2nN2+wkc6q6lcKbWXdRK+uz7vsUENSwMy0GI96/n/Vesj+
w1j4w+gygXYu4qnVfbP4sQYVDTC6v5S7VxV8e5LhfmVEHHIBA4jP214xCkFei0EY
zWAiNc9m63Fz8PpU5D+TGUWPcwOPsFe2B2mAXG5lz4rm8p2EeiU4JhoKg42a7Fl7
1XkcN+o5bunoNBcW3WX/hdm0VeIhUFQEF+q4KMpjvdTeigUhxwt6TwSPKUNEEbN+
xQGRVVGSPbpKjaWDCkzeXeaoe1atlDfvZLP3QVrXOK58oNAHEFRjebRJreEBkE+Q
dB4ePVTYn7B7IvwoHTVrkM4dH7cfQJqJHZvK6nk9QEqG+LaALjA=
=Dyv4
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to