Debian Bug report logs - #480543
nopi2 postinst script is not robust to user's input data

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Cesare Tirabassi <norsetto@ubuntu.com>

To: submit@bugs.debian.org

Subject: nopi2 postinst script is not robust to user's input data

Date: Sat, 10 May 2008 21:36:26 +0200

Package: noip2
Version: 2.1.7-7
Severity: normal
Usertags: origin-ubuntu hardy

Hi,

the noip2 postinst script doesn't handle very well some particular user 
inputs.
For instance:

a) If the user's username and/or password contains a blank space, the config 
script will fail with a bad sintax error and leave the package in a broken 
state.

This can be solved by eg. using "$username" and "$password" in the noip2 call.

b) if the username and/or password is incorrect, the configuration will fail 
and the installation will fail: this will leave the package in a completely 
broken state. This failure could be handled more gracefully, for instance by 
completing neverthless the installation with a warning to the user and leave 
the possibility to the user to configure again the package (for instance with 
dkpg-reconfigure or by manually calling noip2 with the correct data).

Many thanks,

Cesare

Message #8 received at 480543-submitter@bugs.debian.org (full text, mbox, reply):

From: Andres Mejia <mcitadel@gmail.com>

To: 480543-submitter@bugs.debian.org

Subject: RE: nopi2 postinst script is not robust to user's input data

Date: Tue, 20 May 2008 02:40:47 -0400

[Message part 1 (text/plain, inline)]

I have fixed problem 'a' you described in your bug report. However I cannot 
confirm problem 'b'.

noip2 will exit normally (exit 0) even if it's supplied a bad username and/or 
password. Also, noip2 is started by the init script during package 
installation. Since the init script is not set with '-e', it will continue 
running (and thus exit normally) even if start-stop-daemon returned a 
non-zero exit status.

-- 
Regards,
Andres

[signature.asc (application/pgp-signature, inline)]

Message #13 received at 480543-quiet@bugs.debian.org (full text, mbox, reply):

From: "Cesare Tirabassi" <cesare.tirabassi@gmail.com>

To: "Andres Mejia" <mcitadel@gmail.com>, 480543-quiet@bugs.debian.org

Subject: Re: Bug#480543: nopi2 postinst script is not robust to user's input data

Date: Tue, 20 May 2008 16:04:04 +0200

[Message part 1 (text/plain, inline)]

Hi Andres,

thanks for looking into this.
An example of what can go wrong is an user entering a blank username and/or
password. You can test this case very easily; installation will fail since
the noip2 call will fail with a bad syntax error. I hope this clarifies my
original concern?

[Message part 2 (text/html, inline)]

Message #18 received at 480543-close@bugs.debian.org (full text, mbox, reply):

From: Andres Mejia <mcitadel@gmail.com>

To: 480543-close@bugs.debian.org

Subject: Bug#480543: fixed in no-ip 2.1.7-8

Date: Tue, 20 May 2008 14:02:04 +0000

Source: no-ip
Source-Version: 2.1.7-8

We believe that the bug you reported is fixed in the latest version of
no-ip, which is due to be installed in the Debian FTP archive:

no-ip_2.1.7-8.diff.gz
  to pool/main/n/no-ip/no-ip_2.1.7-8.diff.gz
no-ip_2.1.7-8.dsc
  to pool/main/n/no-ip/no-ip_2.1.7-8.dsc
noip2_2.1.7-8_amd64.deb
  to pool/main/n/no-ip/noip2_2.1.7-8_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 480543@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andres Mejia <mcitadel@gmail.com> (supplier of updated no-ip package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 19 May 2008 23:00:49 -0400
Source: no-ip
Binary: noip2
Architecture: source amd64
Version: 2.1.7-8
Distribution: unstable
Urgency: low
Maintainer: Otavio Salvador <otavio@debian.org>
Changed-By: Andres Mejia <mcitadel@gmail.com>
Description: 
 noip2      - client for dynamic DNS service
Closes: 478848 480543
Changes: 
 no-ip (2.1.7-8) unstable; urgency=low
 .
   [ Andres Mejia ]
   * Fix where logcheck filter is installed. Closes: #478848
   * Add DM-Upload-Allowed: yes field in control file.
   * Fixing postinst to allow usernames and passwords with spaces.
     Closes: #480543
   * Added nostrip option for DEB_BUILD_OPTIONS.
   * Fix manpage lintian warning.
Checksums-Sha1: 
 d86dbe95aefd8c50e3024451bf0aa0be5c18161d 1191 no-ip_2.1.7-8.dsc
 c26ebd07adbf25895d54a070be09477f2f0f2961 19209 no-ip_2.1.7-8.diff.gz
 e09b7380a64a87e36970d3c5b77e8ebd9d4fe3ca 76160 noip2_2.1.7-8_amd64.deb
Checksums-Sha256: 
 6827d77b2265a709ef08299863ff3560172cdfe655a68b731c061f6e3695fb6c 1191 no-ip_2.1.7-8.dsc
 d93bc1b903265375cf6adeb49459d3a62fed3e1468a1c03e3b6e09859baf125d 19209 no-ip_2.1.7-8.diff.gz
 185b7880c6a5da5bdaee17b6cc2758749e9bdf8d694fcd5d004c535abcec2085 76160 noip2_2.1.7-8_amd64.deb
Files: 
 5433cba62dcd9878011d2fed358d9d58 1191 net optional no-ip_2.1.7-8.dsc
 302b8c4ae1371bb88f7abf45fab2df53 19209 net optional no-ip_2.1.7-8.diff.gz
 4e855f6bad3fbef7b6d305c287073654 76160 net optional noip2_2.1.7-8_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIMtaGLqiZQEml+FURAobeAJ9+LCwoQgeEk9BDZDz2cB/yelZONwCeNfXA
f0WOuBmBMJmG/u9imC+i9tw=
=52Dp
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.