Bug#555680: System information in bug reports may be security-sensitive

To: 555680@bugs.debian.org
Subject: Bug#555680: System information in bug reports may be security-sensitive
From: "Stefan Lippers-Hollmann" <s.L-H@gmx.de>
Date: Thu, 19 Nov 2009 15:04:43 +0100
Message-id: <[🔎] 200911191504.44950.s.L-H@gmx.de>
Reply-to: "Stefan Lippers-Hollmann" <s.L-H@gmx.de>, 555680@bugs.debian.org

Hi

r14441 [1], "hide wireless keys and wake-on-LAN password when including 
network configuration in bug reports (bug #555680)".

It is unfortunately not enough to prune "wireless-key" from bugreports, as 
wpasupplicant defines additional means to configure passwords for wireless 
links[2], namely wpa-psk and wpa-password. Additionally I suggest to prune 
commented out lines as well, as these might contain passwords or other 
sensitive information and have no relevance for bugreporting.

The attached, valid, /etc/network/interfaces example illustrates the 
problem with these means of configuration. The following patch applies to
sid and trunk of linux-2.6 (r14649).

[1]	http://svn.debian.org/viewsvn/kernel/dists/sid/linux-2.6/debian/templates/image.plain.bug/include-network?r1=14441&r2=14597
[2]	http://svn.debian.org/viewsvn/pkg-wpa/wpasupplicant/trunk/debian/README.Debian?view=markup

Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>

Index: debian/templates/image.plain.bug/include-network
===================================================================
--- debian/templates/image.plain.bug/include-network	(revision 14649)
+++ debian/templates/image.plain.bug/include-network	(working copy)
@@ -5,7 +5,10 @@
   echo '** Network interface configuration:' >&3
   # Hide passwords/keys
   awk '$1 ~ /^wireless-key/ { gsub(".", "*", $2); }
+       $1 ~ /^wpa-psk/ { gsub(".", "*", $2); }
+       $1 ~ /^wpa-password/ { gsub(".", "*", $2); }
        $1 == "ethtool-wol" { gsub(".", "*", $3); }
+       !/^\#/
        { print; }
       ' </etc/network/interfaces >&3
   echo >&3

# Used by ifup(8) and ifdown(8). See the interfaces(5) manpage or
# /usr/share/doc/ifupdown/examples for more information.

auto lo
iface lo inet loopback

allow-hotplug eth0
iface eth0 inet dhcp

allow-hotplug wlan0
iface wlan0 inet manual
	wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf

iface linksys_aes inet dhcp
iface default inet dhcp

auto wlan1
iface wlan1 inet dhcp
	wpa-ssid something
	wpa-psk 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
#	wpa-psk 2123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef

auto wlan2
iface wlan2 inet dhcp
	wpa-ssid somethingelse
	wpa-password myplaintextpassword
#	wpa-password yourplaintextpassword

auto wlan3
iface wlan3 inet dhcp
	wireless-essid somethingveryelse
	wireless-key mypassword
#	wireless-key yourpassword

Reply to:

Prev by Date: Bug#534880: linux-image-xen from stable-proposed-updates, 1 week without freeze
Next by Date: Re: Custom Kernel Building in Debian
Previous by thread: Bug#555680: [Secure-testing-team] Bug#555680: System information in bug reports may be security-sensitive
Next by thread: Processed: severity of 555673 is wishlist
Index(es):
- Date
- Thread