security issues
Colin Watson
cjwatson at ubuntu.com
Tue Mar 14 12:35:28 UTC 2006
On Tue, Mar 14, 2006 at 12:29:41PM +0000, Colin Watson wrote:
> The attached diff fixes the core of the problem, although some other
> changes were necessary to fix a related problem with preseeded
> passwords.
Of course I forgot to actually attach the diff. Done now.
--
Colin Watson [cjwatson at ubuntu.com]
-------------- next part --------------
Index: debian/changelog
===================================================================
--- debian/changelog (revision 35398)
+++ debian/changelog (revision 35399)
@@ -16,6 +16,12 @@
it's on the initrd and packages will get correct deps as they're
recompiled against this.
+ [ Colin Watson ]
+ * Honour accept_types/reject_types for questions registered against
+ templates that were received in DATA commands over passthrough. This was
+ one of the root causes of Ubuntu's recent installer password disclosure
+ vulnerability.
+
-- Attilio Fiandrotti <fiandro at tiscali.it> Wed, 8 Mar 2006 22:40:40 +0100
cdebconf (0.97) unstable; urgency=low
Index: src/commands.c
===================================================================
--- src/commands.c (revision 35398)
+++ src/commands.c (revision 35399)
@@ -804,11 +804,12 @@
q->template = t;
template_ref(t);
}
+ t->lset(t, NULL, item, value);
mod->questions->methods.set(mod->questions, q);
}
+ else
+ t->lset(t, NULL, item, value);
- t->lset(t, NULL, item, value);
-
asprintf(&out, "%u OK", CMDSTATUS_SUCCESS);
return out;
}
More information about the ubuntu-users
mailing list