Bug#624753: Security prb with apt with https transport

[David Kalnischkies <kalnischkies+debian@gmail.com>]

reassign 624573 libcurl3-gnutls 7.21.0-1
retitle 624573 errorbuffer message includes user/password
thanks

Hi *,

in case of error, apt-transport-https prints the error message gathered
with CURL_ERRORBUFFER.
If we have an unresolvable host the message in stable
(with libcurl3-gnutls 7.21.0) is as follows:
Couldn't resolve host 'example.org:secret@unresolvable.debian.org'

As you can see here, it includes username and password.
Even further, the username is garbled as the username is in reality:
me@example.org -- so the 'me@' is cut off.

(It's not really a security issue in my eyes, as the user who can see this
 message can easily also look up the files himself, but on the other
 hand it is not really useful to include here - especially not broken.)


You can reproduce this by installing apt-transport-https and
$ mkdir -p /tmp/apt/lists
$ cd /tmp/apt
$ cat test.list
deb https://unresolvable.debian.org/debian/ squeeze main
$ cat auth.conf
machine unresolvable.debian.org
login me@example.org
password secret
$ LANG=C apt-get update -o dir::etc::sourcelist=/tmp/apt/test.list -o
dir::etc::sourceparts=/dev/null -o dir::etc::netrc=/tmp/apt/auth.conf
-o dir::state::lists=/tmp/apt/lists -s


Also interesting, if i move back to the current unstable version
of libcurl3-gnutls (7.21.6-1) i am getting a different error:
Failed to connect to 2620:0:2d0:200::10: Network is unreachable

If i remove the 'me@' part from auth.conf the message is
Couldn't resolve host 'unresolvable.debian.org'

So, for newer versions username and password seems to get removed
from the error message, but it seems to be still confused by the @.


Best regards

David Kalnischkies


P.S.: Sorry, i have no https setup currently to test if it would work
if the host wouldn't be unresolvable…