ldapscripts.passwd uses insecure permissions by default

12.04 LTS:
-rw-r----- 1 root root 6 Jan 30 2012 /etc/ldapscripts/ldapscripts.passwd

14.04 LTS:
-rw-r----- 1 root root 6 Nov 24 2013 /etc/ldapscripts/ldapscripts.passwd

16.04 LTS:
-rw-r--r-- 1 root root 6 Jan 3 2016 /etc/ldapscripts/ldapscripts.passwd

16.10:
-rw-r--r-- 1 root root 6 Jan 3 2016 /etc/ldapscripts/ldapscripts.passwd

zesty:
-rw-r----- 1 root root 6 Dec 31 22:54 /etc/ldapscripts/ldapscripts.passwd

Thanks Dan, it looks like this was introduced with a switch from cdbs to dh packaging formats in Debian version 2.0.6-1 and fixed in Debian version 2.0.7-2. This patch appears to be sufficient to fix the issue:

https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=834578;filename=ldapscripts.diff.txt;msg=10

Because this package is in Universe is it community-supported; could you try to prepare a debdiff to fix this issue? When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Thanks

I think this is what is required...

The attachment "ldapscripts_2.0.6-1ubuntu2.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

Hi Dan - Thanks so much for attaching the debdiff!

I've reviewed the debdiff and have some feedback:

1) Both Ubuntu 16.04 LTS and Ubuntu 16.10 are affected. If possible, a debdiff
   for each release would be appreciated.

2) The version used in the debdiff is incorrect. It should follow the
   guidelines described in section #2 here:

   https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging

   Ubuntu 16.04 LTS should use 2.0.6-1ubuntu1.16.04.1 and Ubuntu 16.10 should
   use 2.0.6-1ubuntu1.16.10.1

3) The distribution field in the changelog should be "xenial-security" instead
   of "xenial". The Ubuntu 16.10 debdiff would use "yakkety-security". This is
   described in section #3 in the same link as above.

4) The changelog contents should be more descriptive. It should follow the
   guidelines described in section #3 in the same link as above. Something like
   this would work:

  * SECURITY UPDATE: Incorrect permissions on the
    /etc/ldapscripts/ldapscripts.passwd file allow local attackers to read the
    contents (LP: #1662164)
    - debian/rules: Fix typo that prevented dh_fixperms from applying the
      correct ldapscripts.passwd permissions

5) You didn't mention what level of testing you performed. Were you able to
   verify that the file permissions were correct after installing the new
   package?

Please attach new debdiffs and mention the testing that you were able to
perform. Thanks again and don't hesitate to ask any questions!

I've unsubscribed ubuntu-security-sponsors.

Dan, please resubscribe ubuntu-security-sponsors and set the status to 'NEW' when you're able to make the changes mentioned in comment #5. Thanks!