Bug#665696: marked as done (gosa-sync breaks on passwords containing spaces)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Mon, 15 Jul 2013 12:32:57 +0200
with message-id <201307151233.00544.holger@layer-acht.org>
and subject line done
has caused the Debian Bug report #665696,
regarding gosa-sync breaks on passwords containing spaces
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
665696: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665696
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: gosa-sync breaks on passwords containing spaces
• From: Samuel Krempp <samuel.krempp@gmail.com>
• Date: Sun, 25 Mar 2012 10:07:06 +0200
• Message-id: <4F6ED22A.7060109@gmail.com>
• Reply-to: Samuel.Krempp@gmail.com

package: debian-edu-config
severity: important
version: squeeze/r0

spaces need adequate quoting of the password variable in both gosa-sync and gosa.conf.

It is also very likely a security hazard in letting the user-supplied password string unquoted in those two files, whence severity=important.

following patch just adds the quoting, and was verified to fix the issue.


--
Samuel Krempp

--- /etc/gosa/gosa.conf.befSK   2012-03-25 09:45:33.000000000 +0200
+++ /etc/gosa/gosa.conf 2012-03-25 09:50:10.000000000 +0200
@@ -44,7 +44,7 @@
       <plugin acl="users/phoneAccount:self" class="phoneAccount"/>
       <plugin acl="users/nagiosAccount:self" class="nagiosAccount"/>
       <plugin acl="users/scalixAccount:self" class="scalixAccount"/>
-      <plugin acl="users/password:self" class="password" postmodify="USERPASSWORD=%userPassword /usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-sync %dn"/>
+      <plugin acl="users/password:self" class="password" postmodify="USERPASSWORD=&quot;%userPassword&quot; /usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-sync %dn"/>
     </section>

     <!-- Section to enable administrative services -->
--- /usr/share/debian-edu-config/tools/gosa-sync.orig   2012-03-25 09:28:32.000000000 +0200
+++ /usr/share/debian-edu-config/tools/gosa-sync        2012-03-25 09:56:04.000000000 +0200
@@ -15,7 +15,6 @@
 ## principal's one.

 RETVAL=0
-
 USERDN=$1
 USERID=`echo $USERDN | sed "s/^uid=\([^,]*\),.*$/\1/"`

@@ -30,7 +29,7 @@
 IAM=`ldapwhoami -x -Z -y $TMPFILE -D $USERDN 2>/dev/null || true`
 if [ "$IAM" = "dn:$USERDN" ] ; then
     cat > $TMPFILE <<EOF
-change_password -pw $USERPASSWORD $USERID
+change_password -pw "$USERPASSWORD" $USERID
 EOF
     cat $TMPFILE  | kadmin.local 2>&1 | logger -t gosa-sync -p notice
     logger -t gosa-sync -p notice Kerberos password for \'$USERID\' changed.

--- End Message ---

--- Begin Message ---

• To: 665696-done@bugs.debian.org
• Subject: done
• From: Holger Levsen <holger@layer-acht.org>
• Date: Mon, 15 Jul 2013 12:32:57 +0200
• Message-id: <201307151233.00544.holger@layer-acht.org>

version: 1.454

done since a long time...

Attachment: signature.asc
Description: This is a digitally signed message part.

--- End Message ---