Debian Bug report logs - #356939
d-i/base-config can include sensative info in world-readable log files; needs cleanup by passwd

version graph

Packages: passwd, base-config; Maintainer for passwd is Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>; Source for passwd is src:shadow (PTS, buildd, popcon). Maintainer for base-config is (unknown);

Reported by: Joey Hess <joeyh@debian.org>

Date: Tue, 14 Mar 2006 21:33:13 UTC

Severity: grave

Tags: d-i, patch, security

Fixed in versions shadow/1:4.0.14-9, shadow/1:4.0.3-31sarge9

Done: Christian Perrier <bubulle@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#356939; Package passwd, base-config. (full text, mbox, link).


Acknowledgement sent to Joey Hess <joeyh@debian.org>:
New Bug report received and forwarded. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>, Debian Install System Team <debian-boot@lists.debian.org>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Joey Hess <joeyh@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: d-i/base-config can include sensative info in world-readable log files; needs cleanup by passwd
Date: Tue, 14 Mar 2006 16:29:45 -0500
[Message part 1 (text/plain, inline)]
Package: passwd, base-config
Severity: grave
Tags: security patch d-i

The debian-installer team has determined that various sensative
information may be leaked into world-readable log files during the
Debian installation process (sarge, etch, sid [1]). This includes:

 - preseeded passwords for root and other users if a preseed file is
   being used for an automated install (via the debconf-seed log file in
   sarge, and the cdebconf database in etch (bug #356845))
 - pppoeconf passwords in the base-config log file (bug #254068)
 - various other information about what software was installed on the
   system, and the configuration of the system

Note that unlike the similar security issues that affected Ubuntu, root
passwords are not leaked into the log files during regular,
non-preseeded installs.

The attached patches to passwd's postinst close these holes for already
installed systems, by chmoding all affected log files to mode 600. There
are two patches, one is against passwd 1:4.0.14-7 from unstable, and one
is against passwd 1:4.0.3-31sarge5 from stable. I've also include a
patch for base-confg in stable to do the same thing[2]. In combination with
installation-report 2.13 (unstable), this will fix the issue in all
circumstances.

Note that passwd is not where this bug originated, and is only being
involved in the fix because there is no better place to put the fix.
Unfortunatly, in systems installed by the sarge installer, some of the
affected log files are not "owned" by any particular package, so the fix
has to go into an unrelated package that is installed/upgraded on every
system.

-- 
see shy jo

[1] oldstable may also be vulnerable to the #254068 part of this issue,
    but I have not investigated it.
[2] The passwd fix is needed to fix already installed systems on
    upgrade now, while the base-config fix is needed to secure systems
    installed after the passwd package is accepted into the next stable
    point release.
[shadow-4.0.14.patch (text/plain, attachment)]
[shadow-4.0.3.patch (text/plain, attachment)]
[base-config-2.53.10.1.patch (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Reply sent to Christian Perrier <bubulle@debian.org>:
You have taken responsibility. (full text, mbox, link).


Notification sent to Joey Hess <joeyh@debian.org>:
Bug acknowledged by developer. (full text, mbox, link).


Message #10 received at 356939-close@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>
To: 356939-close@bugs.debian.org
Subject: Bug#356939: fixed in shadow 1:4.0.14-9
Date: Wed, 15 Mar 2006 00:17:08 -0800
Source: shadow
Source-Version: 1:4.0.14-9

We believe that the bug you reported is fixed in the latest version of
shadow, which is due to be installed in the Debian FTP archive:

login_4.0.14-9_i386.deb
  to pool/main/s/shadow/login_4.0.14-9_i386.deb
passwd_4.0.14-9_i386.deb
  to pool/main/s/shadow/passwd_4.0.14-9_i386.deb
shadow_4.0.14-9.diff.gz
  to pool/main/s/shadow/shadow_4.0.14-9.diff.gz
shadow_4.0.14-9.dsc
  to pool/main/s/shadow/shadow_4.0.14-9.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 356939@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Perrier <bubulle@debian.org> (supplier of updated shadow package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 15 Mar 2006 08:03:43 +0100
Source: shadow
Binary: login passwd
Architecture: source i386
Version: 1:4.0.14-9
Distribution: unstable
Urgency: high
Maintainer: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
Changed-By: Christian Perrier <bubulle@debian.org>
Description: 
 login      - system login tools
 passwd     - change and administer password and group data
Closes: 356939
Changes: 
 shadow (1:4.0.14-9) unstable; urgency=high
 .
   [ Joey Hess ]
   * passwd.postinst: On upgrades from any prior version, chmod 600 various
     base-config and d-i log files that might contain sensative information,
     including in some cases, passwords. Closes: #356939
Files: 
 74a012b5c46114dfa9791117ca3a39db 964 admin required shadow_4.0.14-9.dsc
 b68a15711bbc474ffbe2bda0b5f5f4b0 177589 admin required shadow_4.0.14-9.diff.gz
 d337f489eeae22481272fa37a07ed696 730760 admin required passwd_4.0.14-9_i386.deb
 22d7491aceaec65eafff79056282017a 653424 admin required login_4.0.14-9_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEF8GE1OXtrMAUPS0RAlUzAJ9ObV9wObBKMcQEvYdhl9m3+EIMlgCcCX9Z
bNIw2IxEfacFZwPAavBEEhw=
=FNeu
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#356939; Package passwd, base-config. (full text, mbox, link).


Acknowledgement sent to Christian Perrier <bubulle@debian.org>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>, Debian Install System Team <debian-boot@lists.debian.org>. (full text, mbox, link).


Message #15 received at 356939@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>
To: team@security.debian.org
Cc: debian-release@lists.debian.org, 356939@bugs.debian.org
Subject: "Security" fix for shadow in sarge (#356939)
Date: Sat, 8 Jul 2006 07:19:30 +0200
[Message part 1 (text/plain, inline)]
Mail exchange between the security team and I a few weeks ago about
a shadow update aimed at fixing the potential leak of sensitive
information (Bug 356939):

">" is Joey Schulze
"> >" was me

> There's an updated shadow package in the security queue, and I
> remember asking for help with this issue, but didn't get a response.
> 
> > We would like to know now whether we need to do something or if the
> > case is safely in your hands.
> 
> No, it's not safe.  I'm also totally out of the issue at the moment
> and don't remember any details.
> 
> > A fixed version of the package is quietly waiting on my HD if needed.
> 
> The same as attached or a different one?

(Joey Schulze did attach a diff file, which happened to be the same
than mine...so we confirmed we were talking about the same fix)

So, it is the same. 

The problems remains. We have two packages dealing with the same
issue for different situations. base-config has been processed through
proposed-updates....while shadow is waiting in the security team
queue....

In short, (Joey Hess own words) the shadow/passwd fix is needed to fix
already installed systems on upgrade now, while the base-config fix is
needed to secure systems installed after the passwd package is
accepted into the next stable point release.



The best really seems to be uploading the new shadow in
proposed-updates as well and have both processed the same way so that
the next stable release update contains the fixed packages.

Moreover, if we only process shadow through security while base-config
which addresses the same problem is not, we cannot write the security
announcement because the new installations made with the sarge
installer would still have the problem even with the new shadow.

So, the best option is actually to drop the current shadow in the
security team queue while shadow is being processed through
proposed-updates, synced with base-config.



As a consequence, I hereby ask the security team to DROP the processing
of the 4.0.3-31sarge6 version you have.

Stable release team: I'm building a fixed shadow and will upload it to
proposed-updates. It should be included in the next stable update
along with base-config 2.53.10.1

PS: I'm actually not happy of the way we handled this, "we" being the
shadow package maintenance team and especially myself. I should have
worried earlier. Thanks to Frans Pop who kept nagging me about this,
leading to a final discussion on IRC convincing me to change and
upload to p-u. Apologies to others. I certainly have still a lot to
learn when it comes at stable updates and security updates.





[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#356939; Package passwd, base-config. (full text, mbox, link).


Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>, Debian Install System Team <debian-boot@lists.debian.org>. (full text, mbox, link).


Message #20 received at 356939@bugs.debian.org (full text, mbox, reply):

From: Martin Schulze <joey@infodrom.org>
To: Christian Perrier <bubulle@debian.org>
Cc: team@security.debian.org, debian-release@lists.debian.org, 356939@bugs.debian.org
Subject: Re: "Security" fix for shadow in sarge (#356939)
Date: Sun, 9 Jul 2006 17:33:49 +0200
Christian Perrier wrote:
> As a consequence, I hereby ask the security team to DROP the processing
> of the 4.0.3-31sarge6 version you have.

As you wish, packages deleted.

Regards,

	Joey

-- 
Testing? What's that? If it compiles, it is good, if it boots up, it is perfect.

Please always Cc to me when replying to me on the lists.



Reply sent to Christian Perrier <bubulle@debian.org>:
You have taken responsibility. (full text, mbox, link).


Notification sent to Joey Hess <joeyh@debian.org>:
Bug acknowledged by developer. (full text, mbox, link).


Message #25 received at 356939-close@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>
To: 356939-close@bugs.debian.org
Subject: Bug#356939: fixed in shadow 1:4.0.3-31sarge9
Date: Wed, 30 Aug 2006 23:05:43 -0700
Source: shadow
Source-Version: 1:4.0.3-31sarge9

We believe that the bug you reported is fixed in the latest version of
shadow, which is due to be installed in the Debian FTP archive:

login_4.0.3-31sarge9_i386.deb
  to pool/main/s/shadow/login_4.0.3-31sarge9_i386.deb
passwd_4.0.3-31sarge9_i386.deb
  to pool/main/s/shadow/passwd_4.0.3-31sarge9_i386.deb
shadow_4.0.3-31sarge9.diff.gz
  to pool/main/s/shadow/shadow_4.0.3-31sarge9.diff.gz
shadow_4.0.3-31sarge9.dsc
  to pool/main/s/shadow/shadow_4.0.3-31sarge9.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 356939@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Perrier <bubulle@debian.org> (supplier of updated shadow package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 12 Aug 2006  09:23:46 +0200
Source: shadow
Binary: login passwd
Architecture: source i386
Version: 1:4.0.3-31sarge9
Distribution: stable
Urgency: low
Maintainer: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
Changed-By: Christian Perrier <bubulle@debian.org>
Description: 
 login      - system login tools
 passwd     - change and administer password and group data
Closes: 356939
Changes: 
 shadow (1:4.0.3-31sarge9) stable; urgency=low
 .
   * passwd.postinst: On upgrades from any prior version, chmod 600 various
     base-config and d-i log files that might contain sensative information,
     including in some cases, passwords. Thanks to Joey Hess for the patch.
     Closes: #356939
Files: 
 3b70565e0fda25a953e604a76ff95f9d 839 base required shadow_4.0.3-31sarge9.dsc
 6f7872abe67c78be483b4e74a79cfb33 1319641 base required shadow_4.0.3-31sarge9.diff.gz
 f7da25ed03046579d4708b939881be38 528890 base required passwd_4.0.3-31sarge9_i386.deb
 c499fa55f52e609e3c61d95405dcb623 576160 base required login_4.0.3-31sarge9_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFE3hoeST77jl1k+HARAglEAKDG+cCq0wROzAvC6pded9tw9KnSEQCglWjs
M6Had6ZmcwbsHPXHnTq+mLQ=
=J3Cy
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 18 Jun 2007 02:27:18 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 22:46:15 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.