Debian Bug report logs - #361775
[CVE-2006-1772] stores database password in world-readable config.dat

version graph

Package: mnogosearch-common; Maintainer for mnogosearch-common is (unknown);

Reported by: Andrew Pam <xanni@glasswings.com.au>

Date: Mon, 10 Apr 2006 08:18:02 UTC

Severity: critical

Tags: fixed, security

Found in version mnogosearch-common/3.2.31-1

Fixed in version 3.2.37-3.1

Done: "Adam D. Barratt" <debian-bts@adam-barratt.org.uk>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Philipp Hug <debian@hug.cx>:
Bug#361775; Package mnogosearch-common. (full text, mbox, link).


Acknowledgement sent to Andrew Pam <xanni@glasswings.com.au>:
New Bug report received and forwarded. Copy sent to Philipp Hug <debian@hug.cx>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Andrew Pam <xanni@glasswings.com.au>
To: submit@bugs.debian.org
Subject: Security bug report
Date: Mon, 10 Apr 2006 18:10:51 +1000
Package: mnogosearch-common
Version: 3.2.31-1
Severity: critical
Tags: security

The Debian configuration tool (debconf) asks for the database
administrator password when configuring mnogosearch, and then
stores the password in clear text in the world-readable file
/var/cache/debconf/config.dat under the key
mnogosearch-common/database_admin_pass instead of using the
restricted access file /var/cache/debconf/passwords.dat

Regards,
	Andrew
-- 
mailto:xanni@xanadu.net                         Andrew Pam
http://www.xanadu.com.au/                       Chief Scientist, Xanadu
http://www.glasswings.com.au/                   Partner, Glass Wings
http://www.sericyb.com.au/                      Manager, Serious Cybernetics



Information forwarded to debian-bugs-dist@lists.debian.org, Philipp Hug <debian@hug.cx>:
Bug#361775; Package mnogosearch-common. (full text, mbox, link).


Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to Philipp Hug <debian@hug.cx>. (full text, mbox, link).


Message #10 received at 361775@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <mpitt@debian.org>
To: 361775@bugs.debian.org
Subject: CVE number
Date: Tue, 18 Apr 2006 10:38:12 +0200
[Message part 1 (text/plain, inline)]
Hi!

This has been assigned CVE-2006-1772. Please mention this number in
the changelog when you fix this to ease tracking.

Thanks,

Martin
-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?
[signature.asc (application/pgp-signature, inline)]

Changed Bug title. Request was from Filipus Klutiero <chealer@vif.com> to control@bugs.debian.org. (full text, mbox, link).


Tags added: fixed Request was from Julien Louis <ptitlouis@sysif.net> to control@bugs.debian.org. (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Philipp Hug <debian@hug.cx>:
Bug#361775; Package mnogosearch-common. (full text, mbox, link).


Acknowledgement sent to Julien Louis <ptitlouis@sysif.net>:
Extra info received and forwarded to list. Copy sent to Philipp Hug <debian@hug.cx>. (full text, mbox, link).


Message #19 received at 361775@bugs.debian.org (full text, mbox, reply):

From: Julien Louis <ptitlouis@sysif.net>
To: 361775@bugs.debian.org
Subject: NMU patch
Date: Sat, 3 Jun 2006 19:54:14 +0200
[Message part 1 (text/plain, inline)]
Hi,

Here is attached changes i've made in my NMU.
I've just changed the type of debconf questions for passwords and set an empty
password in the database after building the conffile.

Cheers
-- 
Are you making all this up as you go along?
[nmu.diff (text/plain, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Message sent on to Andrew Pam <xanni@glasswings.com.au>:
Bug#361775. (full text, mbox, link).


Message #22 received at 361775-submitter@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <debian-bts@adam-barratt.org.uk>
To: 361775-submitter@bugs.debian.org
Subject: Debian bug #361775
Date: Thu, 26 Oct 2006 22:15:40 +0100
Hi,

You should have recently received (or will soon receive) an e-mail
telling you that I've closed Debian bug #361775 in the mnogosearch-common 
package, which you reported.

Due to the fact that the package was uploaded by someone who does not
normally do so, the bug was marked as "fixed" rather than closed.

Debian's bug tracking system now allows for this information to be
recorded in a more useful manner, enabling these bugs to be closed.

Due to the volume of bugs affected by this change, we are unfortunately
not sending individualized explanations for each bug. If you have
questions about the fix for your particular bug or about this email,
please contact me directly or follow up to the bug report in the Debian
BTS.

[It's possible you may receive multiple messages stating that the bug
was fixed in several different versions of the package. There are two
common reasons for this:

  - the bug was fixed in one version but subsequently found to exist
    in a later version

  - the bug existed in multiple distributions (for instance, "unstable"
    and "stable") and was thus fixed in a separate upload to each
    distribution
]

Regards,

Adam



Bug marked as fixed in version 3.2.37-3.1, send any further explanations to Andrew Pam <xanni@glasswings.com.au> Request was from "Adam D. Barratt" <debian-bts@adam-barratt.org.uk> to control@bugs.debian.org. (full text, mbox, link).


Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 14:16:44 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 09:58:41 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.