[Reportbug-maint] Bug#880877: reportbug: leak user private information in the SMTP log
borissh1983 at gmail.com
borissh1983 at gmail.com
Sun Nov 5 10:24:17 UTC 2017
Package: reportbug
Version: 7.1.7
Severity: grave
Tags: security
Justification: user security hole
Dear team,
When reportbug is used as a direct SMTP client , reporting user
hostname , ip and username are leaked to the BTS.
Such information leak is not expected (and undesirable). That information is
passes under Message-ID (hash-reportbug at users-fqdn) and in the Received: from
section.
That Information is then made publicly available (under "full text") at the
BTS website.
information can be accessible with the url - https://bugs.debian.org/cgi-bin/
bugreport.cgi?bug=$BUGID;msg=5
(this bug is sent without reportbug )
-- Package-specific info:
** Environment settings:
INTERFACE="text"
** ~/.reportbugrc:
reportbug_version "6.4.3"
mode standard
ui text
realname "Real name"
email "myspambox at gmail.com"
no-cc
header "X-Debbugs-CC: myspambox at gmail.com"
smtphost reportbug.debian.org
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (901, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.13.0-1-amd64 (SMP w/2 CPU cores)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages reportbug depends on:
ii apt 1.6~alpha3
ii python3 3.6.3-2
ii python3-reportbug 7.1.7
reportbug recommends no packages.
Versions of packages reportbug suggests:
pn claws-mail <none>
pn debconf-utils <none>
ii debsums 2.2.2
pn dlocate <none>
pn emacs24-bin-common | emacs25-bin-common <none>
ii file 1:5.32-1
ii gir1.2-gtk-3.0 3.22.25-1
pn gir1.2-vte-2.91 <none>
ii gnupg 2.2.1-5
pn postfix | exim4 | mail-transport-agent <none>
ii python3-gi 3.24.1-3
ii python3-gi-cairo 3.24.1-3
pn python3-gtkspellcheck <none>
pn python3-urwid <none>
ii xdg-utils 1.1.2-1
Versions of packages python3-reportbug depends on:
ii apt 1.6~alpha3
ii file 1:5.32-1
ii python3 3.6.3-2
ii python3-debian 0.1.31
ii python3-debianbts 2.6.3
ii python3-requests 2.18.1-1
python3-reportbug suggests no packages.
-- debconf-show failed
More information about the Reportbug-maint
mailing list