Debian Bug report logs - #305142
apt-setup creates a world readable apt.conf file

Package: apt-setup; Maintainer for apt-setup is Debian Install System Team <debian-boot@lists.debian.org>;

Reported by: Alexander Mader <alexander.mader@niles.de>

Date: Mon, 18 Apr 2005 08:18:03 UTC

Severity: normal

Tags: security

Merged with 553374

Reply or subscribe to this bug.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#305142; Package apt. (full text, mbox, link).


Acknowledgement sent to Alexander Mader <alexander.mader@niles.de>:
New Bug report received and forwarded. Copy sent to APT Development Team <deity@lists.debian.org>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Alexander Mader <alexander.mader@niles.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: world readable apt.conf with proxy passwd
Date: Mon, 18 Apr 2005 10:06:07 +0200
Package: apt
Version: 0.5.28.1
Severity: grave
Tags: security
Justification: user security hole

During install apt.conf is written; including proxy configuration if
needed. The Proxy string is stored in apt.conf but permissions allow
group and others to read apt.conf hence to get the proxy password which
could even be a real users password.

Best regards,

Alexander Mader.
-- Package-specific info:

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686
Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro (charmap=ISO-8859-15)

Versions of packages apt depends on:
ii  libc6                       2.3.2.ds1-20 GNU C Library: Shared libraries an
ii  libgcc1                     1:3.4.3-12   GCC support library
ii  libstdc++5                  1:3.3.5-8    The GNU Standard C++ Library v3

-- no debconf information



Severity set to `important'. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, APT Development Team <deity@lists.debian.org>:
Bug#305142; Package apt. (full text, mbox, link).


Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to APT Development Team <deity@lists.debian.org>. (full text, mbox, link).


Message #12 received at 305142@bugs.debian.org (full text, mbox, reply):

From: Matt Zimmerman <mdz@debian.org>
To: Alexander Mader <alexander.mader@niles.de>, 305142@bugs.debian.org
Subject: Re: Bug#305142: world readable apt.conf with proxy passwd
Date: Tue, 19 Apr 2005 01:05:15 -0700
reassign 305142 debian-installer
thanks

On Mon, Apr 18, 2005 at 10:06:07AM +0200, Alexander Mader wrote:
> Package: apt
> Version: 0.5.28.1
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> During install apt.conf is written; including proxy configuration if
> needed. The Proxy string is stored in apt.conf but permissions allow
> group and others to read apt.conf hence to get the proxy password which
> could even be a real users password.

This issue belongs to whichever installer component creates the file.

-- 
 - mdz



Bug reassigned from package `apt' to `debian-installer'. Request was from Matt Zimmerman <mdz@debian.org> to control@bugs.debian.org. (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#305142; Package debian-installer. (full text, mbox, link).


Acknowledgement sent to Christian Perrier <bubulle@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. (full text, mbox, link).


Message #19 received at 305142@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>
To: Matt Zimmerman <mdz@debian.org>, 305142@bugs.debian.org
Subject: Re: Bug#305142: world readable apt.conf with proxy passwd
Date: Tue, 19 Apr 2005 18:41:57 +0200
reassign 305142 base-config
retitle 305142 apt-setup creates a world readable apt.conf file
thanks

Quoting Matt Zimmerman (mdz@debian.org):
> reassign 305142 debian-installer
> thanks


> 
> On Mon, Apr 18, 2005 at 10:06:07AM +0200, Alexander Mader wrote:
> > Package: apt
> > Version: 0.5.28.1
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> > 
> > During install apt.conf is written; including proxy configuration if
> > needed. The Proxy string is stored in apt.conf but permissions allow
> > group and others to read apt.conf hence to get the proxy password which
> > could even be a real users password.
> 
> This issue belongs to whichever installer component creates the file.


Which happens to be apt-setup from base-config if I'm correct...





Bug reassigned from package `debian-installer' to `base-config'. Request was from Christian Perrier <bubulle@debian.org> to control@bugs.debian.org. (full text, mbox, link).


Changed Bug title. Request was from Christian Perrier <bubulle@debian.org> to control@bugs.debian.org. (full text, mbox, link).


Severity set to `normal'. Request was from Joey Hess <joeyh@debian.org> to control@bugs.debian.org. (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#305142; Package base-config. (full text, mbox, link).


Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. (full text, mbox, link).


Message #30 received at 305142@bugs.debian.org (full text, mbox, reply):

From: Martin Schulze <joey@infodrom.org>
To: 305142@bugs.debian.org
Subject: CAN-2005-2214: insegure apt-setup
Date: Tue, 12 Jul 2005 07:31:42 +0200
severity 305142 important
tags 305142 security
thanks

Is there any motion on this problem?

======================================================
Candidate: CAN-2005-2214
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2214
Final-Decision:
Interim-Decision:
Modified:
Proposed:
Assigned: 20050712
Category: SF
Reference: MISC:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=305142
Reference: SECUNIA:15955
Reference: URL:http://secunia.com/advisories/15955

apt-setup in Debian GNU/Linux installs the apt.conf file with insecure
permissions, which allows local users to obtain sensitive information
such as passwords.


Regards,

	Joey

-- 
Have you ever noticed that "General Public Licence" contains the word "Pub"?

Please always Cc to me when replying to me on the lists.



Severity set to `important'. Request was from Martin Schulze <joey@infodrom.org> to control@bugs.debian.org. (full text, mbox, link).


Tags added: security Request was from Martin Schulze <joey@infodrom.org> to control@bugs.debian.org. (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#305142; Package base-config. (full text, mbox, link).


Acknowledgement sent to Joey Hess <joeyh@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. (full text, mbox, link).


Message #39 received at 305142@bugs.debian.org (full text, mbox, reply):

From: Joey Hess <joeyh@debian.org>
To: Martin Schulze <joey@infodrom.org>, 305142@bugs.debian.org
Subject: Re: Bug#305142: CAN-2005-2214: insegure apt-setup
Date: Tue, 12 Jul 2005 13:30:21 +0300
[Message part 1 (text/plain, inline)]
Martin Schulze wrote:
> severity 305142 important

This is severity inflation: This bug affects a minority of a minority of
users (users who have a proxy that requires a password, have some reason
to use it for apt, and somehow have managed to avoid the inherent
security issues of the http password being sent in the clear over the
network).

> tags 305142 security
> thanks
> 
> Is there any motion on this problem?

The only real solution to this bug is to remove support for passwords in
the proxy setting. Making the file mode 600 by default, or even only if
a password is present cripples the system for regular users by breaking
apt-get source and hardly makes it anymore secure anyway.

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Severity set to `normal'. Request was from Martin Schulze <joey@infodrom.org> to control@bugs.debian.org. (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#305142; Package base-config. (full text, mbox, link).


Acknowledgement sent to Petter Reinholdtsen <pere@hungry.com>:
Extra info received and forwarded to list. Copy sent to Debian Install System Team <debian-boot@lists.debian.org>. (full text, mbox, link).


Message #46 received at 305142@bugs.debian.org (full text, mbox, reply):

From: Petter Reinholdtsen <pere@hungry.com>
To: 305142@bugs.debian.org
Subject: Re: Bug#305142: CAN-2005-2214: insegure apt-setup
Date: Tue, 12 Jul 2005 13:37:48 +0200
[Joey Hess]
> The only real solution to this bug is to remove support for
> passwords in the proxy setting. Making the file mode 600 by default,
> or even only if a password is present cripples the system for
> regular users by breaking apt-get source and hardly makes it anymore
> secure anyway.

An option is to only support the http_proxy and ftp_proxy environment
variables, but this is painful in other ways (bug #123144).

Another option is to move the proxy settings to a separate file and
read this file too.



Bug reassigned from package `base-config' to `apt-setup'. Request was from Joey Hess <joeyh@debian.org> to control@bugs.debian.org. (full text, mbox, link).


Forcibly Merged 305142 553374. Request was from Miguel Figueiredo <elmig@debianpt.org> to control@bugs.debian.org. (Wed, 12 Jan 2011 02:15:03 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 22:03:22 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.