thr3ads.net - Secure testing team - [Secure-testing-team] Bug#684619: [nullmailer] Debconf prompts for info that might contain password, saves to world-readable file [Aug 2012]

If this information is useful, please help other people find it:
Share via:

Aaron Schrab

2012-Aug-11 21:58 UTC

[Secure-testing-team] Bug#684619: [nullmailer] Debconf prompts for info that might contain password, saves to world-readable file

Package: nullmailer
Version: 1:1.11-1
Severity: serious
Tags: security
X-Debbugs-CC: secure-testing-team at lists.alioth.debian.org

--- Please enter the report below this line. ---

Durint installation, this package uses debconf to get information about how 
mail should be delivered, giving examples that show how to specify a password 
for an SMTP account.  This information is then saved to 
/etc/nullmailer/remotes which is readable by any account on the system.

--- System information. ---
Architecture: amd64
Kernel:       Linux 3.2.0-3-amd64

Debian Release: wheezy/sid
  500 unstable        http.debian.net 

--- Package information. ---
Depends              (Version) | Installed
==============================-+-==============libc6                 (>= 2.4)
| 2.13-35
libgnutls26     (>= 2.12.17-0) | 2.12.20-1
libstdc++6          (>= 4.1.1) | 4.7.1-6
debconf              (>= 0.5)  | 1.5.45
 OR debconf-2.0                | 
lsb-base                       | 4.1+Debian7


Recommends             (Version) | Installed
================================-+-==========rsyslog                          |
5.8.11-1+b1
 OR system-log-daemon            | 


Package''s Suggests field is empty.

Secure testing team - Aug 2012 - Bug#684619: [nullmailer] Debconf prompts for info that might contain password, saves to world-readable file

[Secure-testing-team] Bug#684619: [nullmailer] Debconf prompts for info that might contain password, saves to world-readable file