[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#356939: marked as done (d-i/base-config can include sensative info in world-readable log files; needs cleanup by passwd)

Your message dated Wed, 15 Mar 2006 00:17:08 -0800
with message-id <E1FJRBs-0008Ab-7Y@spohr.debian.org>
and subject line Bug#356939: fixed in shadow 1:4.0.14-9
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Package: passwd, base-config
Severity: grave
Tags: security patch d-i

The debian-installer team has determined that various sensative
information may be leaked into world-readable log files during the
Debian installation process (sarge, etch, sid [1]). This includes:

 - preseeded passwords for root and other users if a preseed file is
   being used for an automated install (via the debconf-seed log file in
   sarge, and the cdebconf database in etch (bug #356845))
 - pppoeconf passwords in the base-config log file (bug #254068)
 - various other information about what software was installed on the
   system, and the configuration of the system

Note that unlike the similar security issues that affected Ubuntu, root
passwords are not leaked into the log files during regular,
non-preseeded installs.

The attached patches to passwd's postinst close these holes for already
installed systems, by chmoding all affected log files to mode 600. There
are two patches, one is against passwd 1:4.0.14-7 from unstable, and one
is against passwd 1:4.0.3-31sarge5 from stable. I've also include a
patch for base-confg in stable to do the same thing[2]. In combination with
installation-report 2.13 (unstable), this will fix the issue in all
circumstances.

Note that passwd is not where this bug originated, and is only being
involved in the fix because there is no better place to put the fix.
Unfortunatly, in systems installed by the sarge installer, some of the
affected log files are not "owned" by any particular package, so the fix
has to go into an unrelated package that is installed/upgraded on every
system.

-- 
see shy jo

[1] oldstable may also be vulnerable to the #254068 part of this issue,
    but I have not investigated it.
[2] The passwd fix is needed to fix already installed systems on
    upgrade now, while the base-config fix is needed to secure systems
    installed after the passwd package is accepted into the next stable
    point release.

diff -ur old/shadow-4.0.14/debian/changelog shadow-4.0.14/debian/changelog
--- old/shadow-4.0.14/debian/changelog	2006-03-14 15:25:49.000000000 -0500
+++ shadow-4.0.14/debian/changelog	2006-03-14 16:13:19.000000000 -0500
@@ -1,3 +1,11 @@
+shadow (1:4.0.14-8) unstable; urgency=high
+
+  * passwd.postinst: On upgrades from any prior version, chmod 600 various
+    base-config and d-i log files that might contain sensative information,
+    including in some cases, passwords.
+
+ -- Joey Hess <joeyh@debian.org>  Tue, 14 Mar 2006 16:12:11 -0500
+
 shadow (1:4.0.14-7) unstable; urgency=low
 
   * The "Carré d'Aurillac" release (let's stay in Cantal)
diff -ur old/shadow-4.0.14/debian/passwd.postinst shadow-4.0.14/debian/passwd.postinst
--- old/shadow-4.0.14/debian/passwd.postinst	2006-03-14 15:25:49.000000000 -0500
+++ shadow-4.0.14/debian/passwd.postinst	2006-03-14 16:22:36.000000000 -0500
@@ -4,6 +4,19 @@
 
 case "$1" in
 configure)
+    # Fix permissions on various log files from old versions of the debian
+    # installer, some unrelated to passwd but we decided to put the fix
+    # here since there was no better place. This can safely be removed
+    # after etch is released.
+    if dpkg --compare-versions "$2" lt "1:4.0.14-8"; then
+	    for log in /var/log/base-config* \
+		    $(find /var/log/debian-installer/ /var/log/installer/ -type f 2>/dev/null ); do
+		if [ -e "$log" ]; then
+			chmod 600 "$log"
+		fi
+            done
+    fi
+
     rm -f /etc/pam.d/passwd.pre-upgrade 2>/dev/null
 	if ! getent group shadow | grep -q '^shadow:[^:]*:42'
 	then

diff -ur old/shadow-4.0.3/debian/changelog shadow-4.0.3/debian/changelog
--- old/shadow-4.0.3/debian/changelog	2006-03-14 16:23:51.000000000 -0500
+++ shadow-4.0.3/debian/changelog	2006-03-14 16:16:25.000000000 -0500
@@ -1,3 +1,11 @@
+shadow (1:4.0.3-31sarge6) stable-security; urgency=high
+
+  * passwd.postinst: On upgrades from any prior version, chmod 600 various
+    base-config and d-i log files that might contain sensative information,
+    including in some cases, passwords.
+
+ -- Joey Hess <joeyh@debian.org>  Tue, 14 Mar 2006 16:14:26 -0500
+
 shadow (1:4.0.3-31sarge5) testing-proposed-updates; urgency=high
 
   * Re-apply the debian/patches/036_CAN-2004-1001_passwd_check patch
diff -ur old/shadow-4.0.3/debian/passwd.postinst shadow-4.0.3/debian/passwd.postinst
--- old/shadow-4.0.3/debian/passwd.postinst	2006-03-14 16:23:51.000000000 -0500
+++ shadow-4.0.3/debian/passwd.postinst	2006-03-14 16:17:28.000000000 -0500
@@ -10,6 +10,19 @@
 
 if test "$1" = configure
 then
+    # Fix permissions on various log files from old versions of the debian
+    # installer, some unrelated to passwd but we decided to put the fix
+    # here since there was no better place. This can safely be removed
+    # after etch is released.
+    if dpkg --compare-versions "$2" lt "1:4.0.3-31sarge6"; then
+	    for log in /var/log/base-config* \
+		    $(find /var/log/debian-installer/ /var/log/installer/ -type f 2>/dev/null ); do
+		if [ -e "$log" ]; then
+			chmod 600 "$log"
+		fi
+            done
+    fi
+    
     rm -f /etc/pam.d/passwd.pre-upgrade 2>/dev/null
 	if ! getent group shadow | grep -q '^shadow:[^:]*:42'
 	then

diff -ur old/base-config-2.53.10/base-config base-config-2.53.10.1/base-config
--- old/base-config-2.53.10/base-config	2005-05-13 17:00:26.000000000 -0400
+++ base-config-2.53.10.1/base-config	2006-03-14 16:02:24.000000000 -0500
@@ -28,6 +28,14 @@
 SHELL=/bin/sh
 export SHELL
 
+# Fix permissions of log files to avoid data leakage.
+for log in /var/log/base-config* \
+	   $(find /var/log/debian-installer/ /var/log/installer/ -type f 2>/dev/null ); do
+	if [ -e "$log" ]; then
+		chmod 600 "$log"
+	fi
+done
+
 gettext "Configuring the base system..."
 echo
 
diff -ur old/base-config-2.53.10/debian/changelog base-config-2.53.10.1/debian/changelog
--- old/base-config-2.53.10/debian/changelog	2005-05-15 14:56:15.000000000 -0400
+++ base-config-2.53.10.1/debian/changelog	2006-03-14 16:26:02.000000000 -0500
@@ -1,3 +1,11 @@
+base-config (2.53.10.1) stable-security; urgency=high
+
+  * Add permission fixing code to base-config to deal with data leakage in
+    d-i and base-config log files. chmod all possibly affected log files 600.
+  * Disable Mirrors.masterlist downloading for stable build.
+
+ -- Joey Hess <joeyh@debian.org>  Tue, 14 Mar 2006 16:02:28 -0500
+
 base-config (2.53.10) testing; urgency=low
 
   * Christian Perrier
diff -ur old/base-config-2.53.10/debian/rules base-config-2.53.10.1/debian/rules
--- old/base-config-2.53.10/debian/rules	2005-05-13 17:00:22.000000000 -0400
+++ base-config-2.53.10.1/debian/rules	2006-03-14 16:26:25.000000000 -0500
@@ -2,6 +2,7 @@
 
 CVSGET=cvs -d":pserver:anonymous@cvs.debian.org:/cvs/webwml" \
 	co -p webwml/english/mirror/Mirrors.masterlist
+ONLINE=n
 
 build:
 	# Freshen Mirrors.masterlist file, but allow failure.

Attachment: signature.asc
Description: Digital signature


--- End Message ---
--- Begin Message --- 
Source: shadow
Source-Version: 1:4.0.14-9

We believe that the bug you reported is fixed in the latest version of
shadow, which is due to be installed in the Debian FTP archive:

login_4.0.14-9_i386.deb
  to pool/main/s/shadow/login_4.0.14-9_i386.deb
passwd_4.0.14-9_i386.deb
  to pool/main/s/shadow/passwd_4.0.14-9_i386.deb
shadow_4.0.14-9.diff.gz
  to pool/main/s/shadow/shadow_4.0.14-9.diff.gz
shadow_4.0.14-9.dsc
  to pool/main/s/shadow/shadow_4.0.14-9.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 356939@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Perrier <bubulle@debian.org> (supplier of updated shadow package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 15 Mar 2006 08:03:43 +0100
Source: shadow
Binary: login passwd
Architecture: source i386
Version: 1:4.0.14-9
Distribution: unstable
Urgency: high
Maintainer: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
Changed-By: Christian Perrier <bubulle@debian.org>
Description: 
 login      - system login tools
 passwd     - change and administer password and group data
Closes: 356939
Changes: 
 shadow (1:4.0.14-9) unstable; urgency=high
 .
   [ Joey Hess ]
   * passwd.postinst: On upgrades from any prior version, chmod 600 various
     base-config and d-i log files that might contain sensative information,
     including in some cases, passwords. Closes: #356939
Files: 
 74a012b5c46114dfa9791117ca3a39db 964 admin required shadow_4.0.14-9.dsc
 b68a15711bbc474ffbe2bda0b5f5f4b0 177589 admin required shadow_4.0.14-9.diff.gz
 d337f489eeae22481272fa37a07ed696 730760 admin required passwd_4.0.14-9_i386.deb
 22d7491aceaec65eafff79056282017a 653424 admin required login_4.0.14-9_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEF8GE1OXtrMAUPS0RAlUzAJ9ObV9wObBKMcQEvYdhl9m3+EIMlgCcCX9Z
bNIw2IxEfacFZwPAavBEEhw=
=FNeu
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: