[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#160813: marked as done (cgiemail:/etc/cgiemail.conf is not consulted)

Your message dated Sat, 28 Sep 2002 07:17:11 -0400
with message-id <E17vFax-0002Yr-00@auric.debian.org>
and subject line Bug#160813: fixed in cgiemail 1.6-15
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

Received: (at submit) by bugs.debian.org; 13 Sep 2002 22:16:59 +0000
>From tmh@nothing-on.tv Fri Sep 13 17:16:59 2002
Return-path: <tmh@nothing-on.tv>
Received: from sisko.nodomain.org (mail.nodomain.org) [] 
	by master.debian.org with esmtp (Exim 3.12 1 (Debian))
	id 17pykF-0003Tc-00; Fri, 13 Sep 2002 17:16:59 -0500
Received: from localhost (localhost [])
	by mail.nodomain.org (Postfix) with ESMTP
	id 26136E1052; Fri, 13 Sep 2002 23:16:46 +0100 (BST)
Received: by mail.nodomain.org (Postfix, from userid 1000)
	id 39931E1036; Fri, 13 Sep 2002 23:16:45 +0100 (BST)
Content-Type: text/plain; charset="ANSI_X3.4-1968"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: "Tony Hoyle" <tmh@nodomain.org>
To: "Debian Bug Tracking System" <submit@bugs.debian.org>
Subject: =?ansi_x3.4-1968?q?cgiemail:?=
	=?ansi_x3.4-1968?q?/etc/cgiemail.conf?= is not consulted
X-Mailer: reportbug 1.99.54
Date: Fri, 13 Sep 2002 23:16:45 +0100
Message-Id: <20020913221645.39931E1036@mail.nodomain.org>
X-Virus-Scanned: by AMaViS new-20020517
X-Razor-id: ceaac65496d5fd68a258cbb01d3da6b812437620
X-Spam-Status: No, hits=0.4 tests=SUPERLONG_LINE
Delivered-To: submit@bugs.debian.org

Package: cgiemail
Version: 1.6-14
Severity: important
Tags: security

Contrary to instructions given during installation, /etc/cgiemail.conf
is not being consulted.  I installed with a default of /var/www/templates,
and this was duly put in the configuration file.  I noticed that the existing template files which were *not* within /var/www/templates did not stop working.  To test this I changed the /etc/cgiemail.conf to templatedir="/home/tmh", and observed that the template files in the webspace were still honoured - meaning the templatedir option is non-functional in this release.

Moreover, trying to open /cgi-bin/cgiemail/cgi-bin/cgiemail proved that it was attempting to read files in the cgi-bin directory - exactly the vulnerablility that the templatedir parameter is supposed to stop.

Just to test, I deleted /etc/cgiemail.conf, and cgiemail refused to run, so I'm definately running the correct binary (this machine didn't previously have cgiemail installed).

-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux sisko 2.4.19-rc3-ac3 #1 Sun Aug 4 14:38:02 BST 2002 i686

Versions of packages cgiemail depends on:
ii  debconf                       1.1.32     Debian configuration management sy
ii  libc6                         2.2.5-14.1 GNU C Library: Shared libraries an

-- debconf information excluded

Received: (at 160813-close) by bugs.debian.org; 28 Sep 2002 11:24:12 +0000
>From katie@auric.debian.org Sat Sep 28 06:24:12 2002
Return-path: <katie@auric.debian.org>
Received: from auric.debian.org [] (mail)
	by master.debian.org with esmtp (Exim 3.12 1 (Debian))
	id 17vFhk-0005t8-00; Sat, 28 Sep 2002 06:24:12 -0500
Received: from katie by auric.debian.org with local (Exim 3.35 1 (Debian))
	id 17vFax-0002Yr-00; Sat, 28 Sep 2002 07:17:11 -0400
From: Colin Watson <cjwatson@debian.org>
To: 160813-close@bugs.debian.org
X-Katie: $Revision: 1.26 $
Subject: Bug#160813: fixed in cgiemail 1.6-15
Message-Id: <E17vFax-0002Yr-00@auric.debian.org>
Sender: Archive Administrator <katie@auric.debian.org>
Date: Sat, 28 Sep 2002 07:17:11 -0400
Delivered-To: 160813-close@bugs.debian.org

We believe that the bug you reported is fixed in the latest version of
cgiemail, which is due to be installed in the Debian FTP archive:

  to pool/main/c/cgiemail/cgiemail_1.6-15.diff.gz
  to pool/main/c/cgiemail/cgiemail_1.6-15.dsc
  to pool/main/c/cgiemail/cgiemail_1.6-15_i386.deb

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 160813@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Colin Watson <cjwatson@debian.org> (supplier of updated cgiemail package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)

Hash: SHA1

Format: 1.7
Date: Sat, 28 Sep 2002 12:03:42 +0100
Source: cgiemail
Binary: cgiemail
Architecture: source i386
Version: 1.6-15
Distribution: unstable
Urgency: low
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
 cgiemail   - CGI Form-to-Mail converter
Closes: 145336 160813
 cgiemail (1.6-15) unstable; urgency=low
   * QA upload.
   * Null-terminate templatedir, and make sure it really does get checked
     (closes: #160813).
   * Add NAME section to man pages (closes: #145336).
   * Policy version 3.5.7:
     - Drop DEB_BUILD_OPTIONS=debug support, so we always build with -g;
       support DEB_BUILD_OPTIONS=noopt.
 15cb75324c24380a4dc2deb4dba094a0 627 web optional cgiemail_1.6-15.dsc
 e1e9a2508fb067feca3e2de91cbf5288 13233 web optional cgiemail_1.6-15.diff.gz
 ef3849753a70d39be60b3b82b7acb880 31714 web optional cgiemail_1.6-15_i386.deb

Version: GnuPG v1.2.0 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer


Reply to: