Bug#546884: Privacy revealed - #304718 backfired

Artur R. Czechowski arturcz at hell.pl
Wed Sep 16 19:32:13 UTC 2009 

severity 546884 serious
thanks

Package: mutt
Version: 1.5.20-2
Severity: serious

Hello,
I believe this bug shall be set as serious (and I've just changed it
accordingly). Explanation follows.

I am using default setup of exim4 4.69-11+b1 with no modification, only
changeѕ are made using dpkg-reconfigure.

I have default /etc/Muttrc from mutt 1.5.20 and default setting
for sendmail parameter: /usr/sbin/sendmail -oem -oi

With such settings Bcc field has been revealed to all recipients.
I want to emphasise it: I have default configuration provided by Debian
and the bug appears.

They say: better safe than sorry. That's why default shall be set
to protect privacy. In case someone need to have unset write_bcc (as
submitter of mentioned 304718) he can set it on his own - taking all risks
into consideration.

Additionaly, I believe it shall be also fixed in stable release.

Best regards
	Artur

-- Package-specific info:
Mutt 1.5.20 (2009-06-14)
Copyright (C) 1996-2009 Michael R. Elkins and others.
Mutt comes with ABSOLUTELY NO WARRANTY; for details type `mutt -vv'.
Mutt is free software, and you are welcome to redistribute it
under certain conditions; type `mutt -vv' for details.

System: Linux 2.6.30-1-amd64 (x86_64)
ncurses: ncurses 5.7.20090803 (compiled with 5.7)
libidn: 1.15 (compiled with 1.15)
hcache backend: GDBM version 1.8.3. 10/15/2002 (built Jul  9 2009 11:48:41)
Compile options:
-DOMAIN
+DEBUG
-HOMESPOOL  +USE_SETGID  +USE_DOTLOCK  +DL_STANDALONE  +USE_FCNTL  -USE_FLOCK   
+USE_POP  +USE_IMAP  +USE_SMTP  
-USE_SSL_OPENSSL  +USE_SSL_GNUTLS  +USE_SASL  +USE_GSS  +HAVE_GETADDRINFO  
+HAVE_REGCOMP  -USE_GNU_REGEX  
+HAVE_COLOR  +HAVE_START_COLOR  +HAVE_TYPEAHEAD  +HAVE_BKGDSET  
+HAVE_CURS_SET  +HAVE_META  +HAVE_RESIZETERM  
+CRYPT_BACKEND_CLASSIC_PGP  +CRYPT_BACKEND_CLASSIC_SMIME  +CRYPT_BACKEND_GPGME  
-EXACT_ADDRESS  -SUN_ATTACHMENT  
+ENABLE_NLS  -LOCALES_HACK  +COMPRESSED  +HAVE_WC_FUNCS  +HAVE_LANGINFO_CODESET  +HAVE_LANGINFO_YESEXPR  
+HAVE_ICONV  -ICONV_NONTRANS  +HAVE_LIBIDN  +HAVE_GETSID  +USE_HCACHE  
-ISPELL
SENDMAIL="/usr/sbin/sendmail"
MAILPATH="/var/mail"
PKGDATADIR="/usr/share/mutt"
SYSCONFDIR="/etc"
EXECSHELL="/bin/sh"
MIXMASTER="mixmaster"
To contact the developers, please mail to <mutt-dev at mutt.org>.
To report a bug, please visit http://bugs.mutt.org/.

patch-1.5.13.cd.ifdef.2

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30-1-amd64 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages mutt depends on:
ii  libc6                   2.9-26           GNU C Library: Shared libraries
ii  libcomerr2              1.41.9-1         common error description library
ii  libgdbm3                1.8.3-6          GNU dbm database routines (runtime
ii  libgnutls26             2.8.3-2          the GNU TLS library - runtime libr
ii  libgpg-error0           1.6-1            library for common error values an
ii  libgpgme11              1.1.8-2          GPGME - GnuPG Made Easy
ii  libgssapi-krb5-2        1.7dfsg~beta3-1  MIT Kerberos runtime libraries - k
ii  libidn11                1.15-1           GNU Libidn library, implementation
ii  libk5crypto3            1.7dfsg~beta3-1  MIT Kerberos runtime libraries - C
ii  libkrb5-3               1.7dfsg~beta3-1  MIT Kerberos runtime libraries
ii  libncursesw5            5.7+20090803-2   shared libraries for terminal hand
ii  libsasl2-2              2.1.23.dfsg1-1.1 Cyrus SASL - authentication abstra

Versions of packages mutt recommends:
ii  exim4                   4.69-11          metapackage to ease Exim MTA (v4) 
ii  exim4-daemon-light [mai 4.69-11+b1       lightweight Exim MTA (v4) daemon
ii  libsasl2-modules        2.1.23.dfsg1-1.1 Cyrus SASL - pluggable authenticat
ii  locales                 2.9-26           GNU C Library: National Language (
ii  mime-support            3.46-1           MIME files 'mime.types' & 'mailcap

Versions of packages mutt suggests:
ii  aspell                        0.60.6-2   GNU Aspell spell-checker
ii  ca-certificates               20090814   Common CA certificates
ii  gnupg                         1.4.10-1   GNU privacy guard - a free PGP rep
ii  ispell                        3.1.20.0-6 International Ispell (an interacti
pn  mixmaster                     <none>     (no description available)
ii  openssl                       0.9.8k-4   Secure Socket Layer (SSL) binary a
ii  urlview                       0.9-18     Extracts URLs from text

Versions of packages mutt is related to:
ii  mutt                          1.5.20-2   text-based mailreader supporting M
pn  mutt-dbg                      <none>     (no description available)
pn  mutt-patched                  <none>     (no description available)

-- no debconf information

-- 
There are only 10 types of people in the world: 
Those who understand binary and those who don't.
			/unknown/

More information about the Pkg-exim4-maintainers mailing list