Bug#684679: RFS: nullmailer/1:1.11-2 (security bugfix upload request)
On Sun, 12 Aug 2012, Nick Leverton wrote:
> * New upstream release
> diff -Nru nullmailer-1.11/debian/postinst nullmailer-1.11/debian/postinst
> --- nullmailer-1.11/debian/postinst 2012-05-16 08:25:36.000000000 +0100
> +++ nullmailer-1.11/debian/postinst 2012-08-12 20:23:46.000000000 +0100
> @@ -24,10 +24,14 @@
> fi
>
> db_get nullmailer/relayhost
> + # securely create nullmailer/remotes with mode 0600
> + R=$( tempfile -d /etc/nullmailer -p nullm )
> echo "$RET" | sed -r -e ':a s/(\[[^]:]*):/\1=/; ta' \
> -e 's/[[:space:]]*:[[:space:]]*/\n/g' \
> -e ':b s/(\[[^]=]*)=/\1:/; tb' \
> - -e 's/[][]//g' > /etc/nullmailer/remotes
> + -e 's/[][]//g' >> $R
> + chown mail:mail $R
> + mv $R /etc/nullmailer/remotes
>
> db_get nullmailer/adminaddr
> if [ "$RET" ]; then
If bartm is unable to upload this, I will do it. However, you need to
first check that /etc/nullmailer/remotes is a regular file, as it
would be a perfectly reasonable configuration to have replaced
/etc/nullmailer/remotes with a symlink. Secondly, you really should
only do the replacement if /etc/nullmailer/remotes is world readable;
otherwise you should assume that the administrator has modified things
(for example, running nullmailer as an entirely different user).
Don Armstrong
--
He no longer wished to be dead. At the same time, it cannot be said
that he was glad to be alive. But at least he did not resent it. He
was alive, and the stubbornness of this fact had little by little
begun to fascinate him -- as if he had managed to outlive himself, as
if he were somehow living a posthumous life.
-- Paul Auster _City of Glass_
http://www.donarmstrong.com http://rzlab.ucr.edu
Reply to: