USN-88-1: reportbug information disclosure

28 February 2005

reportbug information disclosure

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 4.10

Software Description

Details

Rolf Leggewie discovered two information disclosure bugs in reportbug.

The per-user configuration file ~/.reportbugrc was created world-readable. If it contained email smarthost passwords, these were readable by any other user on the computer storing the home directory.

reportbug usually includes the settings from ~/.reportbugrc in generated bug reports. This included the “smtppasswd” setting (the password for an SMTP email smarthost) as well. The password is now hidden from reports.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 4.10
reportbug

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

References