[Reportbug-maint] Bug#880877: reportbug: leak user private information in the SMTP log

borissh1983 at gmail.com borissh1983 at gmail.com
Sun Nov 5 10:24:17 UTC 2017 

Package: reportbug 
Version: 7.1.7 
Severity: grave 
Tags: security 
Justification: user security hole 

Dear team, 

When reportbug is used as a direct SMTP client , reporting user 
hostname , ip and username  are leaked to the BTS. 

Such information leak is not expected (and undesirable). That information is 
passes under Message-ID (hash-reportbug at users-fqdn)  and in the Received: from 
section.

That Information is then made publicly available  (under "full text") at the 
BTS website. 

information can be accessible with the url - https://bugs.debian.org/cgi-bin/
bugreport.cgi?bug=$BUGID;msg=5

(this bug is sent without reportbug ) 

-- Package-specific info: 
** Environment settings: 
INTERFACE="text" 

** ~/.reportbugrc: 
reportbug_version "6.4.3" 
mode standard 
ui text 
realname "Real name" 
email "myspambox at gmail.com" 
no-cc 
header "X-Debbugs-CC: myspambox at gmail.com" 
smtphost reportbug.debian.org 

-- System Information: 
Debian Release: buster/sid 
 APT prefers unstable 
 APT policy: (901, 'unstable') 
Architecture: amd64 (x86_64) 
Foreign Architectures: i386 

Kernel: Linux 4.13.0-1-amd64 (SMP w/2 CPU cores) 
Shell: /bin/sh linked to /bin/dash 
Init: systemd (via /run/systemd/system) 

Versions of packages reportbug depends on: 
ii  apt                1.6~alpha3 
ii  python3            3.6.3-2 
ii  python3-reportbug  7.1.7 

reportbug recommends no packages. 

Versions of packages reportbug suggests: 
pn  claws-mail                               <none> 
pn  debconf-utils                            <none> 
ii  debsums                                  2.2.2 
pn  dlocate                                  <none> 
pn  emacs24-bin-common | emacs25-bin-common  <none> 
ii  file                                     1:5.32-1 
ii  gir1.2-gtk-3.0                           3.22.25-1 
pn  gir1.2-vte-2.91                          <none> 
ii  gnupg                                    2.2.1-5 
pn  postfix | exim4 | mail-transport-agent   <none> 
ii  python3-gi                               3.24.1-3 
ii  python3-gi-cairo                         3.24.1-3 
pn  python3-gtkspellcheck                    <none> 
pn  python3-urwid                            <none> 
ii  xdg-utils                                1.1.2-1 

Versions of packages python3-reportbug depends on: 
ii  apt                1.6~alpha3 
ii  file               1:5.32-1 
ii  python3            3.6.3-2 
ii  python3-debian     0.1.31 
ii  python3-debianbts  2.6.3 
ii  python3-requests   2.18.1-1 

python3-reportbug suggests no packages. 

-- debconf-show failed

More information about the Reportbug-maint mailing list