Bug#1029077: debian-edu-config: leaks first user password in Debconf answers

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1029077: debian-edu-config: leaks first user password in Debconf answers
From: Dominik George <natureshadow@debian.org>
Date: Tue, 17 Jan 2023 14:23:33 +0100
Message-id: <[🔎] 167396181321.51386.14644229065525104805.reportbug@frifot>
Reply-to: Dominik George <natureshadow@debian.org>, 1029077@bugs.debian.org

Source: debian-edu-config
Version: 2.12.25
Severity: normal

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

It was discovered that the password for the first user (GOSa); and root
user if using the Debian Edu installer, is not cleared from the Debconf
answers database. It is also therefore available unencrypted in the
system memory on tjener, at least after the first ever debconf run.

The database is generally not world-readable, and regular users cannot
access arbitrary system memory, so this is not a critical security bug.

I still propose to clear the password from the Debconf database "as
soon as possible", as per the Debconf Programmer's Tutorial [1]:

  You should consider clearing that value out of the database as soon
  as is possible.

- -nik

[1] http://www.fifi.org/doc/debconf-doc/tutorial.html#AEN34

-----BEGIN PGP SIGNATURE-----

iMAEARYKAGgWIQSk6zxRYJYchegBkTEK5VTlRg4b3QUCY8ahVDEaaHR0cHM6Ly93
d3cuZG9taW5pay1nZW9yZ2UuZGUvZ3BnLXBvbGljeS50eHQuYXNjGBxuYXR1cmVz
aGFkb3dAZGViaWFuLm9yZwAKCRAK5VTlRg4b3aIyAQCOlYlZt6REMchQ9DSak5JD
5PmdwnD89Uc0K4U+feDu4QD6A8WwWgnV7ov3VJ0wupphIVopqGcnIxJrZH8LnYaW
cAY=
=Vrqx
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: Content and translation status for the debian-edu-bullseye manual
Next by Date: Google Summer of Code
Previous by thread: Content and translation status for the debian-edu-bullseye manual
Next by thread: Google Summer of Code
Index(es):
- Date
- Thread