[pkg-squid-devel] squid3 3.4.8-2
Luigi Gangitano
luigi at debian.org
Thu Oct 30 09:51:15 UTC 2014
> Il giorno 30/ott/2014, alle ore 02:27, Amos Jeffries <squid3 at treenet.co.nz> ha scritto:
>> I also added the patch suggested in 700983 and am ready to upload
>> if that is ok for you.
>
> Your call, but I did not pull it in upstream because IMHO this might
> result in a future CVE for "information leak”.
My bad here, wrong cut&paste. I added the patch suggested in #765476. ;-)
> The suggested patch places the samba login username and password into
> the helper command line. As a result they will be visible to all users
> on the machine.
>
> If the suggested patch works at all, then the USER variable is
> available in the environment for the smbclient executable to use. So I
> believe you are right the bug is in the smbclient not following its
> documented behaviour as relied on by the Squid helper script.
Latest comment from submitter seems to point out that smbclient indeed works as intended. Is there any possibile interaction with /bin/sh in corner cases (e.g. the current /bin/sh is dash.
> I dont use it myself so cant say whether it works properly but it
> might be better to distribute the compiled executable basic_smb_auth
> instead of the basic_smb_auth.sh script version.
Reading the code again looks like everything is fine, USER is set and exported. Will need to set up a test case.
I would like to distribute the compiled executable but we would need to handle configuration changes in postinst so to avoid breaking existing users.
Regards,
L
--
Luigi Gangitano -- <luigi at debian.org> -- <gangitano at lugroma3.org>
GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972 C24A F19B A618 924C 0C26
GPG: 4096R/2BA97CED: 8D48 5A35 FF1E 6EB7 90E5 0F6D 0284 F20C 2BA9 7CED
More information about the pkg-squid-devel
mailing list