reportbug: config files are world readable

Bug #12955 reported by Debian Bug Importer on 2005-02-15
4
Affects Status Importance Assigned to Milestone
reportbug (Debian)
Fix Released
Unknown
reportbug (Ubuntu)
High
Martin Pitt

Bug Description

Automatically imported from Debian bug report #295407 http://bugs.debian.org/295407

Debian Bug Importer (debzilla) wrote :

Automatically imported from Debian bug report #295407 http://bugs.debian.org/295407

Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Tue, 15 Feb 2005 11:53:16 +0100
From: Rolf Leggewie <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: reportbug: config files are world readable

Package: reportbug
Version: 3.2
Severity: grave
Justification: user security hole

The conf files for reportbug are created world-readable. For users of
smart-hosts this represents a security hole since it exposes their
passwords on that host for any local user to pick up. Heck, reportbug
even included that information in this bug report before I deleted it.

-- Package-specific info:
** /home/leggewie/.reportbugrc:
reportbug_version "3.2"
mode standard
ui text
realname "Rolf Leggewie"
email "<email address hidden>"
smtphost "postman.arcor.de"

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.27-1-586tsc
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages reportbug depends on:
ii python2.3 2.3.4-19 An interactive high-level object-o

-- no debconf information

Source: reportbug
Source-Version: 3.8

We believe that the bug you reported is fixed in the latest version of
reportbug, which is due to be installed in the Debian FTP archive:

reportbug_3.8.dsc
  to pool/main/r/reportbug/reportbug_3.8.dsc
reportbug_3.8.tar.gz
  to pool/main/r/reportbug/reportbug_3.8.tar.gz
reportbug_3.8_all.deb
  to pool/main/r/reportbug/reportbug_3.8_all.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lawrence <email address hidden> (supplier of updated reportbug package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 15 Feb 2005 11:50:53 -0600
Source: reportbug
Binary: reportbug
Architecture: source all
Version: 3.8
Distribution: unstable
Urgency: medium
Maintainer: Chris Lawrence <email address hidden>
Changed-By: Chris Lawrence <email address hidden>
Description:
 reportbug - reports bugs in the Debian distribution
Closes: 293188 295407
Changes:
 reportbug (3.8) unstable; urgency=medium
 .
   * Create .reportbugrc with mode 600. (Closes: #295407)
   * Drop references to bug(1) from man page. (Closes: #293188)
   * Don't send Bcc field in messages to any external programs.
Files:
 dbea6643902266b455f77e1296674be1 520 utils standard reportbug_3.8.dsc
 6f4eae34ceea8f7b8cdbf0286a46eaa4 128974 utils standard reportbug_3.8.tar.gz
 157abbd5e1a74399183009937da6a14e 109090 utils standard reportbug_3.8_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCEjcQ2wQKE6PXubwRAjEIAJ4o2VHu6nm2+e/ETrbIQqoXcxs4hwCghqn6
IwvFLsM/ocEF86Q7jmqyXTc=
=GTVa
-----END PGP SIGNATURE-----

Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Tue, 15 Feb 2005 13:02:36 -0500
From: Chris Lawrence <email address hidden>
To: <email address hidden>
Subject: Bug#295407: fixed in reportbug 6763.8

Source: reportbug
Source-Version: 3.8

We believe that the bug you reported is fixed in the latest version of
reportbug, which is due to be installed in the Debian FTP archive:

reportbug_3.8.dsc
  to pool/main/r/reportbug/reportbug_3.8.dsc
reportbug_3.8.tar.gz
  to pool/main/r/reportbug/reportbug_3.8.tar.gz
reportbug_3.8_all.deb
  to pool/main/r/reportbug/reportbug_3.8_all.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Chris Lawrence <email address hidden> (supplier of updated reportbug package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 15 Feb 2005 11:50:53 -0600
Source: reportbug
Binary: reportbug
Architecture: source all
Version: 3.8
Distribution: unstable
Urgency: medium
Maintainer: Chris Lawrence <email address hidden>
Changed-By: Chris Lawrence <email address hidden>
Description:
 reportbug - reports bugs in the Debian distribution
Closes: 293188 295407
Changes:
 reportbug (3.8) unstable; urgency=medium
 .
   * Create .reportbugrc with mode 600. (Closes: #295407)
   * Drop references to bug(1) from man page. (Closes: #293188)
   * Don't send Bcc field in messages to any external programs.
Files:
 dbea6643902266b455f77e1296674be1 520 utils standard reportbug_3.8.dsc
 6f4eae34ceea8f7b8cdbf0286a46eaa4 128974 utils standard reportbug_3.8.tar.gz
 157abbd5e1a74399183009937da6a14e 109090 utils standard reportbug_3.8_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCEjcQ2wQKE6PXubwRAjEIAJ4o2VHu6nm2+e/ETrbIQqoXcxs4hwCghqn6
IwvFLsM/ocEF86Q7jmqyXTc=
=GTVa
-----END PGP SIGNATURE-----

Martin Pitt (pitti) wrote :

Fixed Warty in USN-88-1, fixed Hoary in 3.5ubuntu5.

Changed in reportbug:
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.