Package: reportbug Version: 7.1.7 Severity: grave Tags: security Justification: user security hole
Dear team, When reportbug is used as a direct SMTP client , reporting user hostname , ip and username are leaked to the BTS. Such information leak is not expected (and undesirable). That information is passes under Message-ID (hash-reportbug@users-fqdn) and in the Received: from section. That Information is then made publicly available (under "full text") at the BTS website. information can be accessible with the url - https://bugs.debian.org/cgi-bin/ bugreport.cgi?bug=$BUGID;msg=5 (this bug is sent without reportbug ) -- Package-specific info: ** Environment settings: INTERFACE="text" ** ~/.reportbugrc: reportbug_version "6.4.3" mode standard ui text realname "Real name" email "myspam...@gmail.com" no-cc header "X-Debbugs-CC: myspam...@gmail.com" smtphost reportbug.debian.org -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (901, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.13.0-1-amd64 (SMP w/2 CPU cores) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages reportbug depends on: ii apt 1.6~alpha3 ii python3 3.6.3-2 ii python3-reportbug 7.1.7 reportbug recommends no packages. Versions of packages reportbug suggests: pn claws-mail <none> pn debconf-utils <none> ii debsums 2.2.2 pn dlocate <none> pn emacs24-bin-common | emacs25-bin-common <none> ii file 1:5.32-1 ii gir1.2-gtk-3.0 3.22.25-1 pn gir1.2-vte-2.91 <none> ii gnupg 2.2.1-5 pn postfix | exim4 | mail-transport-agent <none> ii python3-gi 3.24.1-3 ii python3-gi-cairo 3.24.1-3 pn python3-gtkspellcheck <none> pn python3-urwid <none> ii xdg-utils 1.1.2-1 Versions of packages python3-reportbug depends on: ii apt 1.6~alpha3 ii file 1:5.32-1 ii python3 3.6.3-2 ii python3-debian 0.1.31 ii python3-debianbts 2.6.3 ii python3-requests 2.18.1-1 python3-reportbug suggests no packages. -- debconf-show failed
