Debian Bug report logs - #436681
backuppc: Web interface password publicly visible

version graph

Package: backuppc; Maintainer for backuppc is Ludovic Drolez <ldrolez@debian.org>; Source for backuppc is src:backuppc.

Reported by: Frans Pop <elendil@planet.nl>

Date: Wed, 8 Aug 2007 14:00:02 UTC

Severity: critical

Tags: security

Found in versions backuppc/2.1.2-6, backuppc/3.0.0-1

Fixed in version backuppc/3.0.0-4

Done: Ludovic Drolez <ldrolez@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Ludovic Drolez <ldrolez@debian.org>:
Bug#436681; Package backuppc. Full text and rfc822 format available.

Acknowledgement sent to Frans Pop <elendil@planet.nl>:
New Bug report received and forwarded. Copy sent to Ludovic Drolez <ldrolez@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Frans Pop <elendil@planet.nl>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: backuppc: Web interface password publicly visible
Date: Wed, 08 Aug 2007 15:58:39 +0200
Package: backuppc
Version: 2.1.2-6
Severity: critical
Tags: security

The default password generated at installation time is publically
visible to any user with local access to the system on which backuppc is
installed as it is included in the debconf database [1] as a variable
for the backuppc/configuration-note template.

I've decided on severity critical for this issue as it potentially allows
random users to start backup jobs for other systems and possibly interfere
with backuped data.

I'd suggest clearing this variable immediately after displaying the note.

[1] /var/cache/debconf/config.dat

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages backuppc depends on:
ii  adduser                    3.102         Add and remove users and groups
ii  apache2                    2.2.3-4       Next generation, scalable, extenda
ii  apache2-mpm-worker [apache 2.2.3-4       High speed threaded model for Apac
ii  debconf [debconf-2.0]      1.5.11        Debian configuration management sy
ii  dpkg                       1.13.25       package maintenance system for Deb
ii  exim4                      4.63-17       metapackage to ease exim MTA (v4) 
ii  exim4-daemon-light [mail-t 4.63-17       lightweight exim MTA (v4) daemon
ii  libarchive-zip-perl        1.16-1        Module for manipulation of ZIP arc
ii  libcompress-zlib-perl      1.42-2        Perl module for creation and manip
ii  perl [libdigest-md5-perl]  5.8.8-7       Larry Wall's Practical Extraction 
ii  perl-suid                  5.8.8-7       Runs setuid Perl scripts
ii  samba-common               3.0.24-6etch4 Samba common files used by both th
ii  smbclient                  3.0.24-6etch4 a LanManager-like simple client fo
ii  tar                        1.16-2        GNU tar
ii  wwwconfig-common           0.0.48        Debian web auto configuration



Bug marked as found in version 3.0.0-1. Request was from Frans Pop <elendil@planet.nl> to control@bugs.debian.org. (Thu, 09 Aug 2007 00:24:02 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#436681; Package backuppc. Full text and rfc822 format available.

Acknowledgement sent to Ludovic Drolez <ldrolez@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #12 received at 436681@bugs.debian.org (full text, mbox):

From: Ludovic Drolez <ldrolez@debian.org>
To: Frans Pop <elendil@planet.nl>, 436681@bugs.debian.org
Subject: Re: Bug#436681: backuppc: Web interface password publicly visible
Date: Mon, 13 Aug 2007 15:11:24 +0200
On Wed, Aug 08, 2007 at 03:58:39PM +0200, Frans Pop wrote:
> Package: backuppc
> Version: 2.1.2-6
> Severity: critical
> Tags: security
> 
> The default password generated at installation time is publically
> visible to any user with local access to the system on which backuppc is
> installed as it is included in the debconf database [1] as a variable
> for the backuppc/configuration-note template.
> 
> [1] /var/cache/debconf/config.dat
> 

Hi !

Thanks for the report ! What's strange is that the password should be in
passwords.dat, not in config.dat... Anyway it should be cleared.

Cheers,


-- 
Ludovic Drolez.

http://zaurus.palmopensource.com       - The Zaurus Open Source Portal
http://www.drolez.com      - Personal site - Linux, Zaurus and PalmOS stuff



Information forwarded to debian-bugs-dist@lists.debian.org, Ludovic Drolez <ldrolez@debian.org>:
Bug#436681; Package backuppc. Full text and rfc822 format available.

Acknowledgement sent to Frans Pop <elendil@planet.nl>:
Extra info received and forwarded to list. Copy sent to Ludovic Drolez <ldrolez@debian.org>. Full text and rfc822 format available.

Message #17 received at 436681@bugs.debian.org (full text, mbox):

From: Frans Pop <elendil@planet.nl>
To: 436681@bugs.debian.org
Subject: Re: Bug#436681: backuppc: Web interface password publicly visible
Date: Mon, 13 Aug 2007 15:39:10 +0200
[Message part 1 (text/plain, inline)]
On Monday 13 August 2007, you wrote:
> Thanks for the report ! What's strange is that the password should be in
> passwords.dat, not in config.dat... Anyway it should be cleared.

I know debconf quite well because of my work on Debian Installer and that's 
only true if you ask a user to _input_ a password in a password field.

It is not true if you _display_ a password using a variable in a regular 
template. In that case the value of that variable will be included in the 
regular data file.

Note that you will also have to clear values in the debconf database for 
existing installs on upgrades from a broken version.

Cheers,
FJP
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#436681; Package backuppc. Full text and rfc822 format available.

Acknowledgement sent to Ludovic Drolez <ldrolez@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #22 received at 436681@bugs.debian.org (full text, mbox):

From: Ludovic Drolez <ldrolez@debian.org>
To: Frans Pop <elendil@planet.nl>, 436681@bugs.debian.org
Subject: Re: Bug#436681: backuppc: Web interface password publicly visible
Date: Mon, 27 Aug 2007 22:35:52 +0200
Le lundi 13 août 2007 15:39, Frans Pop a écrit :
> Note that you will also have to clear values in the debconf database for
> existing installs on upgrades from a broken version.

I've just added a new db_subst with an empty value in the postinst. It should 
fix the problem. (db_subst "backuppc/configuration-note" "pass" "")

Cheers,

-- 
Ludovic Drolez.

http://zaurus.palmopensource.com    - The Zaurus Open Source Portal
http://www.drolez.com      - Personal site - Linux and PalmOS stuff



Reply sent to Ludovic Drolez <ldrolez@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Frans Pop <elendil@planet.nl>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #27 received at 436681-close@bugs.debian.org (full text, mbox):

From: Ludovic Drolez <ldrolez@debian.org>
To: 436681-close@bugs.debian.org
Subject: Bug#436681: fixed in backuppc 3.0.0-4
Date: Mon, 27 Aug 2007 21:47:17 +0000
Source: backuppc
Source-Version: 3.0.0-4

We believe that the bug you reported is fixed in the latest version of
backuppc, which is due to be installed in the Debian FTP archive:

backuppc_3.0.0-4.diff.gz
  to pool/main/b/backuppc/backuppc_3.0.0-4.diff.gz
backuppc_3.0.0-4.dsc
  to pool/main/b/backuppc/backuppc_3.0.0-4.dsc
backuppc_3.0.0-4_all.deb
  to pool/main/b/backuppc/backuppc_3.0.0-4_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 436681@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ludovic Drolez <ldrolez@debian.org> (supplier of updated backuppc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 27 Aug 2007 18:28:25 +0200
Source: backuppc
Binary: backuppc
Architecture: source all
Version: 3.0.0-4
Distribution: unstable
Urgency: high
Maintainer: Ludovic Drolez <ldrolez@debian.org>
Changed-By: Ludovic Drolez <ldrolez@debian.org>
Description: 
 backuppc   - high-performance, enterprise-grade system for backing up PCs
Closes: 436681
Changes: 
 backuppc (3.0.0-4) unstable; urgency=high
 .
   * Clear the remaining password in config.dat. Closes: #436681
Files: 
 a805f25874a8f489db6204acd5570cd0 615 utils optional backuppc_3.0.0-4.dsc
 50e8dc2d4fab31f37c8988d469d7b50a 19398 utils optional backuppc_3.0.0-4.diff.gz
 02184d45d5a29a4164cd6b5b76ed0b3b 492072 utils optional backuppc_3.0.0-4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG0zVAsRlQAP1GppgRAubIAJ9SOsa7GmuGSzPeTibDbtBtEm/wXwCffM8C
ZN+fxAuQKE4hSGrN4cRQ70c=
=zs3F
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Ludovic Drolez <ldrolez@debian.org>:
Bug#436681; Package backuppc. Full text and rfc822 format available.

Acknowledgement sent to Frans Pop <elendil@planet.nl>:
Extra info received and forwarded to list. Copy sent to Ludovic Drolez <ldrolez@debian.org>. Full text and rfc822 format available.

Message #32 received at 436681@bugs.debian.org (full text, mbox):

From: Frans Pop <elendil@planet.nl>
To: 436681@bugs.debian.org
Subject: Re: Bug#436681: backuppc: Web interface password publicly visible
Date: Fri, 31 Aug 2007 21:31:01 +0200
[Message part 1 (text/plain, inline)]
On Monday 27 August 2007, Ludovic Drolez wrote:
> I've just added a new db_subst with an empty value in the postinst. It
> should fix the problem. (db_subst "backuppc/configuration-note" "pass"
> "")

I've taken a look at the code and IMO you should also db_reset the variable 
immediately after the the db_go in backuppc.config. That seems by far the 
most natural place to do it and ensures the password is visible only for 
the shortest time possible.

Note that the db_reset in the postinst is still needed to reset values for 
existing installations on upgrade, but that could then be dropped after 
lenny has been released.

Are you also planning to fix this issue for stable? IMO it should be.

Cheers,
FJP
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Ludovic Drolez <ldrolez@debian.org>:
Bug#436681; Package backuppc. Full text and rfc822 format available.

Acknowledgement sent to BILAL <moonlitnight_pk@yahoo.com>:
Extra info received and forwarded to list. Copy sent to Ludovic Drolez <ldrolez@debian.org>. Full text and rfc822 format available.

Message #37 received at 436681@bugs.debian.org (full text, mbox):

From: BILAL <moonlitnight_pk@yahoo.com>
To: 436681@bugs.debian.org
Subject: how can I see the source code of any package ?
Date: Wed, 16 Apr 2008 14:22:51 -0700 (PDT)
[Message part 1 (text/plain, inline)]
Dear sir,
   
  Please tell me that, how can I see the source code of any package related to bugs.
  I have installed many packages and all its dependencies on my system, but do not know that how to see its source code. e.g. if i want to see the source code of package “backuppc” , then what I should do????
  Please guide me in this problem.
   
  thanks  
   
   
   

       
---------------------------------
Be a better friend, newshound, and know-it-all with Yahoo! Mobile.  Try it now.
[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Ludovic Drolez <ldrolez@debian.org>:
Bug#436681; Package backuppc. Full text and rfc822 format available.

Acknowledgement sent to ayesha javaid <ayesha_scilent@yahoo.com>:
Extra info received and forwarded to list. Copy sent to Ludovic Drolez <ldrolez@debian.org>. Full text and rfc822 format available.

Message #42 received at 436681@bugs.debian.org (full text, mbox):

From: ayesha javaid <ayesha_scilent@yahoo.com>
To: 436681@bugs.debian.org
Subject: Urgent information required regrading bug#436681
Date: Sun, 4 May 2008 05:07:19 -0700 (PDT)
hello,
i am an instructor in Queen Mary college, London. i
assigned project of debian bugs so i have to evaluate
student.
One group choose bug#436681 (Web interface password
visible) for understanding. i am facing alot of
problem in understanding perl code because i have
expertise in C and C++.
i can't find the reason why this bug comes, in which
code section error is. Kindly tell me.I shall be
thankful to you for this kind action.

Ayesha 
Insturctor (operating system)
Queen Mary college, London


      ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 16 Mar 2009 10:11:08 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 02:09:50 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.