Debian Bug report logs - #646804
RFP: cheermeup -- Send affirmative messages to the user via the notification library

Package: wnpp; Maintainer for wnpp is wnpp@debian.org;

Reported by: Ole Wolf <wolf@blazingangles.com>

Date: Thu, 27 Oct 2011 11:54:26 UTC

Severity: wishlist

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org, wnpp@debian.org:
Bug#646804; Package wnpp. (Thu, 27 Oct 2011 11:54:29 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ole Wolf <wolf@blazingangles.com>:
New Bug report received and forwarded. Copy sent to debian-devel@lists.debian.org, wnpp@debian.org. (Thu, 27 Oct 2011 11:54:36 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Ole Wolf <wolf@blazingangles.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ITP: cheermeup -- Send affirmative messages to the user via the notification library
Date: Thu, 27 Oct 2011 13:03:15 +0200
Package: wnpp
Severity: wishlist
Owner: Ole Wolf <wolf@blazingangles.com>


* Package name    : cheermeup
  Version         : 0.5-1
  Upstream Author : Ole Wolf <wolf@blazingangles.com>
* URL             : http://debian.blazingangles.net/cheermeup.html
* License         : GPLv3
  Programming Lang: Bash script
  Description     : Send affirmative messages to the user via the notification library

Send an an affirmative message to the currently logged in users via the notification library. The affirmative messages are intended to boost the user's self-esteem by telling the user he or she is a great person, that someone loves him or her, etc.




Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org, Ole Wolf <wolf@blazingangles.com>:
Bug#646804; Package wnpp. (Thu, 27 Oct 2011 18:45:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Enrico Zini <enrico@enricozini.org>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org, Ole Wolf <wolf@blazingangles.com>. (Thu, 27 Oct 2011 18:45:03 GMT) Full text and rfc822 format available.

Message #10 received at 646804@bugs.debian.org (full text, mbox):

From: Enrico Zini <enrico@enricozini.org>
To: debian-devel@lists.debian.org
Cc: 646804@bugs.debian.org
Subject: Re: Bug#646804: ITP: cheermeup -- Send affirmative messages to the user via the notification library
Date: Thu, 27 Oct 2011 20:43:57 +0200
[Message part 1 (text/plain, inline)]
On Thu, Oct 27, 2011 at 04:07:57PM +0000, Thomas Thurman wrote:

> In case it helps anyone's decision, I think the list of affirmative messages is short enough to
> include here:
> 
> It is okay to express your needs and feelings.
[...]
> You've made people happy.

WHAT? You mean it doesn't have polygen integration?

How dare they make something like this without using polygen!


Ciao,

Enrico who's SO going to file a bug about it as soon as there is a
bug-reportable package.

-- 
GPG key: 4096R/E7AD5568 2009-05-08 Enrico Zini <enrico@enricozini.org>
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org, Ole Wolf <wolf@blazingangles.com>:
Bug#646804; Package wnpp. (Thu, 27 Oct 2011 19:21:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Philipp A. Hartmann" <ph@sorgh.de>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org, Ole Wolf <wolf@blazingangles.com>. (Thu, 27 Oct 2011 19:21:03 GMT) Full text and rfc822 format available.

Message #15 received at 646804@bugs.debian.org (full text, mbox):

From: "Philipp A. Hartmann" <ph@sorgh.de>
To: Ole Wolf <wolf@blazingangles.com>
Cc: 646804@bugs.debian.org
Subject: Privilege escalation in cheermeup script
Date: Thu, 27 Oct 2011 21:11:14 +0200
Hey,

the cronjob script in the cheermeup package contains a serious privilege
escalation bug by sourcing the "user configuration settings" as root user:

# ...
    localconfig="$homedir/.config/cheermeup/config"
    if [ -f "$localconfig" ]; then
        . $localconfig
    else
# ...

A local user can therefore execute arbitrary commands as root by simply
putting them to ~/.config/cheermeup/config and wait for the next run.

The package should drop privileges way earlier, e.g. by using ConsoleKit
to determine the currently open user sessions and running a separate
script as the logged-in user(s) to create the cheers.

Secondly, the cronjob sometimes writes stuff to stdout/err and may exit
with a non-zero exit code, e.g. if no (GNOME/Unity) user is currently
logged in, which leads to rather annoying mails to root.

I really like the idea, but this package may need some work (beyond
polygen support requested by Enrico) before being suitable for distribution.

Greetings from Oldenburg,
  Philipp




Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org, Ole Wolf <wolf@blazingangles.com>:
Bug#646804; Package wnpp. (Thu, 27 Oct 2011 20:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ole Wolf <ole@naturloven.dk>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org, Ole Wolf <wolf@blazingangles.com>. (Thu, 27 Oct 2011 20:15:03 GMT) Full text and rfc822 format available.

Message #20 received at 646804@bugs.debian.org (full text, mbox):

From: Ole Wolf <ole@naturloven.dk>
To: "Philipp A. Hartmann" <ph@sorgh.de>
Cc: 646804@bugs.debian.org
Subject: Re: Privilege escalation in cheermeup script
Date: Thu, 27 Oct 2011 21:25:51 +0200
[Message part 1 (text/plain, inline)]
Hi Philipp,

   Ouch, I should have throught of that possible exploit. I agree, it's
not suitable for release as is; in fact, I'll remove the download from the
homepage.

   What is "polygen"?

   Thanks,

   --Ole

   Quoting "Philipp A. Hartmann" <ph@sorgh.de>:
> Hey,
>
>   the cronjob script in the cheermeup package contains a serious privilege
>   escalation bug by sourcing the "user configuration settings" as root user:
>
>   # ...
>      localconfig="$homedir/.config/cheermeup/config"
>      if [ -f "$localconfig" ]; then
>          . $localconfig
>      else
>   # ...
>
>   A local user can therefore execute arbitrary commands as root by simply
>   putting them to ~/.config/cheermeup/config and wait for the next run.
>
>   The package should drop privileges way earlier, e.g. by using ConsoleKit
>   to determine the currently open user sessions and running a separate
>   script as the logged-in user(s) to create the cheers.
>
>   Secondly, the cronjob sometimes writes stuff to stdout/err and may exit
>   with a non-zero exit code, e.g. if no (GNOME/Unity) user is currently
>   logged in, which leads to rather annoying mails to root.
>
>   I really like the idea, but this package may need some work (beyond
>   polygen support requested by Enrico) before being suitable for
> distribution.
>
>   Greetings from Oldenburg, Philipp

   --
OLE WOLF[1]
Rødhættevej 4 * 9400 Nørresundby
   Telefon: 9632-0108 * Mobil: 2467-5526 * Skype: ole.wolf * SIP:
ole.wolf@ekiga.net



Links:
------
[1] http://naturloven.dk
[Message part 2 (text/html, inline)]
[smime.p7s (application/pkcs7-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org, Ole Wolf <wolf@blazingangles.com>:
Bug#646804; Package wnpp. (Thu, 27 Oct 2011 21:03:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Philipp A. Hartmann" <ph@sorgh.de>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org, Ole Wolf <wolf@blazingangles.com>. (Thu, 27 Oct 2011 21:03:05 GMT) Full text and rfc822 format available.

Message #25 received at 646804@bugs.debian.org (full text, mbox):

From: "Philipp A. Hartmann" <ph@sorgh.de>
To: Ole Wolf <ole@naturloven.dk>
Cc: 646804@bugs.debian.org
Subject: Re: Privilege escalation in cheermeup script
Date: Thu, 27 Oct 2011 22:59:49 +0200
[Message part 1 (text/plain, inline)]
Hi Ole,

On 27/10/11 21:25, Ole Wolf wrote:
> 
>    Ouch, I should have throught of that possible exploit. I agree, it's
> not suitable for release as is; in fact, I'll remove the download from the
> homepage.

wow, that was quick. :-) I agree that it's probably better to remove the
download until you can fix this issue.

>    What is "polygen"?

  polygen [1] is a generator of random sentences from grammar
definitions, which already provides all the randomization you need.

  I've attached a (very simple) grammar definition based on your
original message collection.  This should of course be refined somehow
to generate more dynamic messages based on more sophisticated grammar
rules.  Use "polygen cheermeup.grm" to select a random message.

Looking forward to the next version. :-)
Philipp

[1] http://packages.debian.org/sid/polygen

[cheermeup.grm (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org, Ole Wolf <wolf@blazingangles.com>:
Bug#646804; Package wnpp. (Thu, 27 Oct 2011 21:03:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ole Wolf <ole@naturloven.dk>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org, Ole Wolf <wolf@blazingangles.com>. (Thu, 27 Oct 2011 21:03:07 GMT) Full text and rfc822 format available.

Message #30 received at 646804@bugs.debian.org (full text, mbox):

From: Ole Wolf <ole@naturloven.dk>
To: 646804@bugs.debian.org
Cc: "Philipp A. Hartmann" <ph@sorgh.de>
Subject: Re: Bug#646804: Privilege escalation in cheermeup script
Date: Thu, 27 Oct 2011 23:00:44 +0200
[Message part 1 (text/plain, inline)]
Bug has been fixed and new version cheermeup-0.6-1 released.

   The bug was fixed by grepping the "key=value" entries in the users'
config files, that is, without executing or sourcing them.

   --
OLE WOLF[1]
Rødhættevej 4 * 9400 Nørresundby
   Telefon: 9632-0108 * Mobil: 2467-5526 * Skype: ole.wolf * SIP:
ole.wolf@ekiga.net

   Quoting Ole Wolf <ole@naturloven.dk>:
> Hi Philipp,
>
>     Ouch, I should have throught of that possible exploit. I agree, it's
>   not suitable for release as is; in fact, I'll remove the download from the
>   homepage.
>
>     What is "polygen"?
>
>     Thanks,
>
>     --Ole
>
>     Quoting "Philipp A. Hartmann" <ph@sorgh.de>:  > Hey,
>>
>>    the cronjob script in the cheermeup package contains a serious privilege
>>    escalation bug by sourcing the "user configuration settings" as
>> root user:
>>
>>    # ...
>>       localconfig="$homedir/.config/cheermeup/config"
>>       if [ -f "$localconfig" ]; then
>>           . $localconfig
>>       else
>>    # ...
>>
>>    A local user can therefore execute arbitrary commands as root by simply
>>    putting them to ~/.config/cheermeup/config and wait for the next run.
>>
>>    The package should drop privileges way earlier, e.g. by using ConsoleKit
>>    to determine the currently open user sessions and running a separate
>>    script as the logged-in user(s) to create the cheers.
>>
>>    Secondly, the cronjob sometimes writes stuff to stdout/err and may exit
>>    with a non-zero exit code, e.g. if no (GNOME/Unity) user is currently
>>    logged in, which leads to rather annoying mails to root.
>>
>>    I really like the idea, but this package may need some work (beyond
>>    polygen support requested by Enrico) before being suitable for
>> distribution.
>>
>>    Greetings from Oldenburg, Philipp
>



Links:
------
[1] http://naturloven.dk
[Message part 2 (text/html, inline)]
[smime.p7s (application/pkcs7-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org, Ole Wolf <wolf@blazingangles.com>:
Bug#646804; Package wnpp. (Mon, 27 May 2013 13:41:13 GMT) Full text and rfc822 format available.

Acknowledgement sent to Lucas Nussbaum <lucas@debian.org>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org, Ole Wolf <wolf@blazingangles.com>. (Mon, 27 May 2013 13:41:13 GMT) Full text and rfc822 format available.

Message #35 received at 646804@bugs.debian.org (full text, mbox):

From: Lucas Nussbaum <lucas@debian.org>
To: 646804@bugs.debian.org
Cc: control@bugs.debian.org
Subject: cheermeup: changing back from ITP to RFP
Date: Mon, 27 May 2013 15:24:17 +0200
retitle 646804 RFP: cheermeup -- Send affirmative messages to the user via the notification library
noowner 646804
tag 646804 - pending
thanks

Hi,

This is an automatic email to change the status of cheermeup back from ITP
(Intent to Package) to RFP (Request for Package), because this bug hasn't seen
any activity during the last 12 months.

If you are still interested in adopting cheermeup, please send a mail to
<control@bugs.debian.org> with:

 retitle 646804 ITP: cheermeup -- Send affirmative messages to the user via the notification library
 owner 646804 !
 thanks

However, it is not recommended to keep ITP for a long time without acting on
the package, as it might cause other prospective maintainers to refrain from
packaging that software. It is also a good idea to document your progress on
this ITP from time to time, by mailing <646804@bugs.debian.org>.

Thank you for your interest in Debian,
-- 
Lucas, for the QA team <debian-qa@lists.debian.org>



Changed Bug title to 'RFP: cheermeup -- Send affirmative messages to the user via the notification library' from 'ITP: cheermeup -- Send affirmative messages to the user via the notification library' Request was from Lucas Nussbaum <lucas@debian.org> to control@bugs.debian.org. (Mon, 27 May 2013 13:55:58 GMT) Full text and rfc822 format available.

Removed annotation that Bug was owned by Ole Wolf <wolf@blazingangles.com>. Request was from Lucas Nussbaum <lucas@debian.org> to control@bugs.debian.org. (Mon, 27 May 2013 13:55:59 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 22:43:49 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.