Your message dated Mon, 2 Jun 2008 22:43:23 +1000 with message-id <200806022243.36763.msp@debian.org> and subject line fixed in package hplip - 2.8.2-0ubuntu2 has caused the Debian Bug report #452705, regarding hplip: postinst updates arbitrary home files with priviledge escalation to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 452705: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=452705 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: hplip: postinst updates arbitrary home files with priviledge escalation
- From: Justin Pryzby <jpryzby+d@quoininc.com>
- Date: Sat, 24 Nov 2007 12:39:39 -0500
- Message-id: <20071124173939.GA25716@quoininc.com>
Package: hplip Version: 2.7.10-1 Tags: security Severity: important The postinst does this: + # Correct ownership of personal HPLIP config files of the users + # (in older HPLIP versions hp-setup created these files with root + # permissions and made hp-toolbox crashing) + for line in `cat /etc/passwd | sed -e 's/ //g'`; do + user=`echo $line | cut -d : -f 1`; + homedir=`echo $line | cut -d : -f 6`; + [ -d $homedir ] && \ + find $homedir -maxdepth 1 -not -user $user -name .hplip* \ + -exec chown $user '{}' \; 2>/dev/null || : + done This is really too fragile. Even if you remove the need for the sed by shell quoting and check if the original owner matched what's expected, it still tries to chown files in an arbitrarily-large number of paths (silently). The .hplip* should be quoted, and I suspect the chown should do chown $user:$user. Worse, the "chown" argument will follow symbolic links, allowing users to gain ownership of an arbitrary number of files. I think instead you should 0) get rid of this postinst; 1) fix hp-toolbox; 2) alert the admin about this, either with an NEWS.Debian or with a debconf prompt; and, 3) warn the user at runtime if this situation is detected (ssh does this). Conceivably you could even try to fix it (copy, unlink, rename). However that's not always guaranteed to work (if the file is unreadable) so it's perhaps best to keep the functional changes to a minimum and rely more on the documentation.
--- End Message ---
--- Begin Message ---
- To: 452705-done@bugs.debian.org
- Subject: fixed in package hplip - 2.8.2-0ubuntu2
- From: Mark Purcell <msp@debian.org>
- Date: Mon, 2 Jun 2008 22:43:23 +1000
- Message-id: <200806022243.36763.msp@debian.org>
Version: 2.8.2-1 https://bugs.launchpad.net/ubuntu/+source/hplip/+bug/191299 This bug was fixed in the package hplip - 2.8.2-0ubuntu2 --------------- hplip (2.8.2-0ubuntu2) hardy; urgency=low [ Till Kamppeter ] * debian/rules: Install the new fax PPD file for color fax devices (currently only HP LaserJet M2727 series, Ubuntu LP: #59409). * debian/hplip.postinst: Fix PPD paths in /etc/hp/hplip.conf, so that hp-setup finds the fax PPDs (Ubuntu LP: #59409). * debian/hplip.postinst: Removed code to correct permissions of .hplip personal config in user's home directories (Ubuntu LP: #191299). [ Mark Purcell ] * Added NEWS/ README entry about the need to use 'scanner' group - Non-root users need to be in group scanner! (Closes: #454339) - should use plugdev rather than scanner group (Closes: #452454) - sane-utils: Scanner only accessible under root (Closes: #462563) * Force (-f) removal of init.d scripts - Uses update-rc.d remove while init script exists; upgrade fails (Closes: #456378) -- Till Kamppeter <till.kamppeter@gmail.com> Tue, 26 Feb 2008 10:08:52 +0100Attachment: signature.asc
Description: This is a digitally signed message part.
--- End Message ---