[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#687782: unblock: nullmailer/1:1.11-2



Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please would you unblock package nullmailer.

This fixes a security issue raised in bug #684619 whereby email auth
credentials for the remote host used by the daemon component were stored
in a world-readable file.

I have attached the debdiff.

There is also some discussion on the fix in #684679.  I decided not to
make the change any more complex as new installers will now be adequately
protected anyway, and old installations (most of which won't be using
auth as it is a relatively new feature) will not be changed to the
surprise of sysadmins.

unblock nullmailer/1:1.11-2

Thanks

Nick Leverton
diff -Nru nullmailer-1.11/debian/changelog nullmailer-1.11/debian/changelog
--- nullmailer-1.11/debian/changelog	2012-06-16 16:36:28.000000000 +0100
+++ nullmailer-1.11/debian/changelog	2012-08-21 09:01:40.000000000 +0100
@@ -1,3 +1,9 @@
+nullmailer (1:1.11-2) unstable; urgency=low
+
+  * Make 'remotes' not world-readable (Closes: #684619)
+
+ -- Nick Leverton <nick@leverton.org>  Tue, 21 Aug 2012 09:01:38 +0100
+
 nullmailer (1:1.11-1) unstable; urgency=low
 
   * New upstream release
diff -Nru nullmailer-1.11/debian/postinst nullmailer-1.11/debian/postinst
--- nullmailer-1.11/debian/postinst	2012-05-16 08:25:36.000000000 +0100
+++ nullmailer-1.11/debian/postinst	2012-08-21 09:07:21.000000000 +0100
@@ -24,6 +24,15 @@
 		fi
 
 		db_get nullmailer/relayhost
+		# securely create nullmailer/remotes with mode 0600
+		if [ ! -e /etc/nullmailer/remotes ]
+		then
+			M=$( umask )
+			umask 077
+			> /etc/nullmailer/remotes
+			chown mail:mail /etc/nullmailer/remotes
+			umask $M
+		fi
 		echo "$RET" | sed -r -e ':a s/(\[[^]:]*):/\1=/; ta' \
 				     -e 's/[[:space:]]*:[[:space:]]*/\n/g' \
 				     -e ':b s/(\[[^]=]*)=/\1:/; tb' \

Reply to: