Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Alexis Sukrieh <sukria@debian.org>: Bug#439392; Package backup-manager.
(full text, mbox, link).
Acknowledgement sent to Micha Lenk <micha@lenk.info>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Alexis Sukrieh <sukria@debian.org>.
(full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: backup-manager: password disclosure in backup uploads
Date: Fri, 24 Aug 2007 21:02:58 +0200
Package: backup-manager
Version: 0.7.5-3
Severity: critical
Tags: security
Justification: root security hole
Hi,
I just discovered that backup-manager disclosures the FTP password
during a running FTP upload in the process list.
A user which has shell access on the computer simply needs to run the command
ps wax | grep backup-manager
to get the FTP username, hostname and password. The output is something
like (I replaced here the sensitive data by FTPHOST, FTPUSER and FTPPASS):
3796 pts/1 SN+ 0:00 /bin/bash /usr/sbin/backup-manager -v
12647 pts/1 RN+ 0:47 /usr/bin/perl /usr/bin/backup-manager-upload -v --ftp-purge -m=ftp -h=FTPHOST -u=FTPUSER -p=FTPPASS ...
With these data the attacking user is able to login into the same FTP
space where the archives created by backup-manager are uploaded to. So
the attacking user is also able to simply download these archive and
extract them as a normal user -- with full access on all included files,
even on those originally accessible by root only. :-(
Have a nice day
Micha
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-k7
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages backup-manager depends on:
ii debconf [debconf-2.0] 1.5.11 Debian configuration management sy
ii findutils 4.2.28-1 utilities for finding files--find,
ii gzip 1.3.5-15 The GNU compression utility
ii ucf 2.0020 Update Configuration File: preserv
backup-manager recommends no packages.
-- debconf information excluded
Information forwarded to debian-bugs-dist@lists.debian.org, Alexis Sukrieh <sukria@debian.org>: Bug#439392; Package backup-manager.
(full text, mbox, link).
Acknowledgement sent to Alexis Sukrieh <sukria@sukria.net>:
Extra info received and forwarded to list. Copy sent to Alexis Sukrieh <sukria@debian.org>.
(full text, mbox, link).
To: 439392-submitter@bugs.debian.org, 439392@bugs.debian.org,
team@security.debian.org
Subject: [backup-manager] Fix proposed upstream
Date: Wed, 29 Aug 2007 11:49:26 +0200
Hello,
A fix has been proposed and is waiting for approval by the development
team upstream. We welcome very much the Debian's point of view of the
solution submited here.
patch:
http://bugzilla.backup-manager.org/cgi-bin/attachment.cgi?id=64
use private temp file for passing the password to b-m-u
This way we hide the password in a file which is readable only by the
user who launched backup-manager, and saved in his home directory.
backup-manager-upload is passed the path to that file instead of the
password itself.
Feel free to comment on.
Regards,
--
Alexis Sukrieh
Message sent on to Micha Lenk <micha@lenk.info>:
Bug#439392.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Alexis Sukrieh <sukria@debian.org>: Bug#439392; Package backup-manager.
(full text, mbox, link).
Acknowledgement sent to Alexis Sukrieh <sukria@sukria.net>:
Extra info received and forwarded to list. Copy sent to Alexis Sukrieh <sukria@debian.org>.
(full text, mbox, link).
Alexis Sukrieh wrote:
> Hello,
>
> A fix has been proposed and is waiting for approval by the development
> team upstream. We welcome very much the Debian's point of view of the
> solution submited here.
Please, ignore that patch. There is cleaner solution which is using the
environement variable already exported by the first script.
Sorry for the noise.
The patch that will be procvided upstream will be about reading
$ENV{BM_UPLOAD_FTP_PASSWORD} instead of taking it from the command line.
Regards.
--
Alexis Sukrieh
Message sent on to Micha Lenk <micha@lenk.info>:
Bug#439392.
(full text, mbox, link).
Reply sent to Alexis Sukrieh <sukria@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Micha Lenk <micha@lenk.info>:
Bug acknowledged by developer.
(full text, mbox, link).
Subject: Bug#439392: fixed in backup-manager 0.7.6-3
Date: Thu, 30 Aug 2007 16:47:02 +0000
Source: backup-manager
Source-Version: 0.7.6-3
We believe that the bug you reported is fixed in the latest version of
backup-manager, which is due to be installed in the Debian FTP archive:
backup-manager-doc_0.7.6-3_all.deb
to pool/main/b/backup-manager/backup-manager-doc_0.7.6-3_all.deb
backup-manager_0.7.6-3.diff.gz
to pool/main/b/backup-manager/backup-manager_0.7.6-3.diff.gz
backup-manager_0.7.6-3.dsc
to pool/main/b/backup-manager/backup-manager_0.7.6-3.dsc
backup-manager_0.7.6-3_all.deb
to pool/main/b/backup-manager/backup-manager_0.7.6-3_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 439392@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alexis Sukrieh <sukria@debian.org> (supplier of updated backup-manager package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 30 Aug 2007 18:24:14 +0200
Source: backup-manager
Binary: backup-manager backup-manager-doc
Architecture: source all
Version: 0.7.6-3
Distribution: unstable
Urgency: high
Maintainer: Alexis Sukrieh <sukria@debian.org>
Changed-By: Alexis Sukrieh <sukria@debian.org>
Description:
backup-manager - command-line backup tool
backup-manager-doc - documentation package for Backup Manager
Closes: 439392
Changes:
backup-manager (0.7.6-3) unstable; urgency=high
.
* Backport from the stable upstream branch for closing a security issue
(password disclosure during FTP uploads).
(closes: #439392)
Files:
a0a7141e7f973718eb493d9896521dc3 744 admin optional backup-manager_0.7.6-3.dsc
a0f986c3b4a015b63786f4ab124efb8e 82039 admin optional backup-manager_0.7.6-3.diff.gz
6d1c683b8896acad01d013e31259b118 114594 admin optional backup-manager_0.7.6-3_all.deb
31f731a074c1e0bd69725ca1aaf69a14 212468 doc optional backup-manager-doc_0.7.6-3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFG1vDzRg1L1x7l3TQRAnZuAJ4nZwKDjX9AXoYw8G7tBh6Jc8rq3QCfYELY
Tn9lEJjQRXB9DugMoNbza/I=
=6aXp
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Alexis Sukrieh <sukria@debian.org>: Bug#439392; Package backup-manager.
(full text, mbox, link).
Acknowledgement sent to Alexis Sukrieh <sukria@sukria.net>:
Extra info received and forwarded to list. Copy sent to Alexis Sukrieh <sukria@debian.org>.
(full text, mbox, link).
Alexis Sukrieh wrote:
> The patch that will be procvided upstream will be about reading
> $ENV{BM_UPLOAD_FTP_PASSWORD} instead of taking it from the command line.
Hi,
I've just uploaded a patched version to sid (0.7.6-4) and have prepared
a fix for the stable package.
Find attached a patch to apply to the stable package (0.7.5-3).
I also attached the .dsc and .diff.gz resulting of the build for stable.
Feel free to tell me if you need anything else for closing the bug in
stable.
PS: I did as it's documented in the developer's reference and did not
upload anything to stable-proposed-update as this is about security:
http://www.debian.org/doc/manuals/developers-reference/ch-pkgs.en.html#s-bug-security
I hope I did right.
Regards,
--
Alexis Sukrieh
Information forwarded to Alexis Sukrieh <sukria@debian.org>: Bug#439392; Package backup-manager.
(full text, mbox, link).
Acknowledgement sent to Micha Lenk <micha@lenk.info>:
Extra info received and forwarded to maintainer. Copy sent to Alexis Sukrieh <sukria@debian.org>.
(full text, mbox, link).
Hi Alexis,
when will there be a security update available for Debian Etch?
Thanks for your support
Micha
Information forwarded to debian-bugs-dist@lists.debian.org, Alexis Sukrieh <sukria@debian.org>: Bug#439392; Package backup-manager.
(full text, mbox, link).
Acknowledgement sent to Alexis Sukrieh <sukria@sukria.net>:
Extra info received and forwarded to list. Copy sent to Alexis Sukrieh <sukria@debian.org>.
(full text, mbox, link).
To: Micha Lenk <micha@lenk.info>, 439392@bugs.debian.org
Subject: Re: Bug#439392: Security Update for Etch?
Date: Wed, 05 Sep 2007 09:59:00 +0200
Micha Lenk wrote:
> Hi Alexis,
>
> when will there be a security update available for Debian Etch?
>
> Thanks for your support
Hi,
I've submitted a patch for the etch package to the security team. It's
in their hands and is waiting for approval.
I'm waiting to see it going into the security updates as well ;)
Regards,
--
Alexis Sukrieh
Information forwarded to debian-bugs-dist@lists.debian.org, Alexis Sukrieh <sukria@debian.org>: Bug#439392; Package backup-manager.
(full text, mbox, link).
Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Alexis Sukrieh <sukria@debian.org>.
(full text, mbox, link).
Hi,
Thanks for fixing this promptly. Do you intend to supply fixed packages for
etch and sarge, or are they not vulnerable?
Thanks
Thijs
Information forwarded to debian-bugs-dist@lists.debian.org, Alexis Sukrieh <sukria@debian.org>: Bug#439392; Package backup-manager.
(full text, mbox, link).
Acknowledgement sent to Alexis Sukrieh <sukria@sukria.net>:
Extra info received and forwarded to list. Copy sent to Alexis Sukrieh <sukria@debian.org>.
(full text, mbox, link).
To: Thijs Kinkhorst <thijs@debian.org>, 439392@bugs.debian.org,
team@security.debian.org
Subject: Re: Bug#439392: Updates for etch and sarge?
Date: Mon, 10 Sep 2007 09:54:27 +0200
Thijs Kinkhorst wrote:
> Hi,
>
> Thanks for fixing this promptly. Do you intend to supply fixed packages for
> etch and sarge, or are they not vulnerable?
Hi,
The stable package has been submitted to the Security Team. It's
wqaiting for approval.
Regards,
--
Alexis Sukrieh
Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Micha Lenk <micha@lenk.info>:
Bug acknowledged by developer.
(full text, mbox, link).
Subject: Bug#439392: fixed in backup-manager 0.5.7-1sarge2
Date: Fri, 21 Mar 2008 07:52:22 +0000
Source: backup-manager
Source-Version: 0.5.7-1sarge2
We believe that the bug you reported is fixed in the latest version of
backup-manager, which is due to be installed in the Debian FTP archive:
backup-manager_0.5.7-1sarge2.diff.gz
to pool/main/b/backup-manager/backup-manager_0.5.7-1sarge2.diff.gz
backup-manager_0.5.7-1sarge2.dsc
to pool/main/b/backup-manager/backup-manager_0.5.7-1sarge2.dsc
backup-manager_0.5.7-1sarge2_all.deb
to pool/main/b/backup-manager/backup-manager_0.5.7-1sarge2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 439392@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated backup-manager package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 15 Mar 2008 22:30:05 +0100
Source: backup-manager
Binary: backup-manager
Architecture: source all
Version: 0.5.7-1sarge2
Distribution: oldstable-security
Urgency: high
Maintainer: Alexis Sukrieh <sukria@sukria.net>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description:
backup-manager - command-line backup tool for GNU Linux
Closes: 439392
Changes:
backup-manager (0.5.7-1sarge2) oldstable-security; urgency=high
.
* Non-maintainer upload by the security team.
* Fix FTP password disclosure during FTP uploads, based on
maintainer-supplied patch. Closes: #439392. CVE-2007-4656
Files:
fad99430055e40413827e477768dd077 923 admin optional backup-manager_0.5.7-1sarge2.dsc
4c33c9b8711ca3da4eb7f8f77214c26a 18510 admin optional backup-manager_0.5.7-1sarge2.diff.gz
05b3fbc927d4ca0e7823a5dca7a1b9b0 30740 admin optional backup-manager_0.5.7-1sarge2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBR9xCpmz0hbPcukPfAQI+Vwf7BaXpmmdC9lC7ILEXpnl23eYu0M7S5s7P
gXZVLdrxivBoegS4GLPI8H3IwCCGEr/QIFqZj2Bh3U9cbvii2jvAtsv7n0b1T6E/
CnRQPPNsIcCwFofmDnPeyHoK+6C8fE53H8mS4OuHFVkecSuIh40MHZ3w0n85Unuj
126nGQf1BFuFI4j2deq/6b9VcsYiqDyBqR1XT2MyThW0q1r6nW0UPG1PgaQsC2lN
5SH2fnsd2hJmArrJ/uh07ZqV1vRQgvrtk03+OFDJkJ0kHHwXaayE49R2F9dRWe29
suzkyUQYeKKGGiUGzqGuNMU6dr6RNagWKBsih2NALsLHx5Bp+UfaRQ==
=+krm
-----END PGP SIGNATURE-----
Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Micha Lenk <micha@lenk.info>:
Bug acknowledged by developer.
(full text, mbox, link).
Subject: Bug#439392: fixed in backup-manager 0.7.5-4
Date: Fri, 21 Mar 2008 07:52:17 +0000
Source: backup-manager
Source-Version: 0.7.5-4
We believe that the bug you reported is fixed in the latest version of
backup-manager, which is due to be installed in the Debian FTP archive:
backup-manager-doc_0.7.5-4_all.deb
to pool/main/b/backup-manager/backup-manager-doc_0.7.5-4_all.deb
backup-manager_0.7.5-4.diff.gz
to pool/main/b/backup-manager/backup-manager_0.7.5-4.diff.gz
backup-manager_0.7.5-4.dsc
to pool/main/b/backup-manager/backup-manager_0.7.5-4.dsc
backup-manager_0.7.5-4_all.deb
to pool/main/b/backup-manager/backup-manager_0.7.5-4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 439392@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated backup-manager package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 15 Mar 2008 22:34:06 +0100
Source: backup-manager
Binary: backup-manager backup-manager-doc
Architecture: source all
Version: 0.7.5-4
Distribution: stable-security
Urgency: high
Maintainer: Alexis Sukrieh <sukria@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description:
backup-manager - command-line backup tool
backup-manager-doc - documentation package for Backup Manager
Closes: 439392
Changes:
backup-manager (0.7.5-4) stable-security; urgency=high
.
* Backport from unstable (version 0.7.6-4) for closing a security issue:
FTP password disclosure during FTP uploads. Uses maintainer-supplied
patch. Closes: #439392. CVE-2007-4656.
Files:
e63192d8ad7753a47baaae9c9df26f25 1036 admin optional backup-manager_0.7.5-4.dsc
76e1c9cea0b8fb210d3862fd89e09c08 159855 admin optional backup-manager_0.7.5.orig.tar.gz
4c4e6282b938b98e9488d44243d7bb96 98048 admin optional backup-manager_0.7.5-4.diff.gz
bcb8c5d8902e36ac0348c94a84cf04cb 109278 admin optional backup-manager_0.7.5-4_all.deb
d97a5222cf45f9feb451ffb9c0c66164 219546 doc optional backup-manager-doc_0.7.5-4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBR9xBVmz0hbPcukPfAQJeUwf8Cxh8WlsiwpC4NvECul6ExmFbaID+UDS+
JF2tENyO9r9TnZAlzTKlHCQK8FdFHndO+/bFM3nzhTGD/2EX9uRSetWPtlzn/eXB
fmP7AtkYoq+pb0ihGYNLhN89z2EeRitVW7OQxr9aZh6un6IGWiwSSpqaV1VTs3mn
h1GB+mIlLbA3FA03uVgN56rHMjsP6oeOJiLA/HyBYpP94w6TtkQyH89wggcH6wvg
SQG9Nqwet8ELq/D9KmYAZevtQE5OTNXSUaJaADhc7JSoGgrHcIA9HchoJklI2VWf
M93gQpSa23CPlquwsvFTaqqY5FX5pgFWrUZ0pch8A7SvDbLK4Xi6Cw==
=1W4A
-----END PGP SIGNATURE-----
Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Micha Lenk <micha@lenk.info>:
Bug acknowledged by developer.
(full text, mbox, link).
Subject: Bug#439392: fixed in backup-manager 0.5.7-1sarge2
Date: Sat, 12 Apr 2008 17:54:36 +0000
Source: backup-manager
Source-Version: 0.5.7-1sarge2
We believe that the bug you reported is fixed in the latest version of
backup-manager, which is due to be installed in the Debian FTP archive:
backup-manager_0.5.7-1sarge2.diff.gz
to pool/main/b/backup-manager/backup-manager_0.5.7-1sarge2.diff.gz
backup-manager_0.5.7-1sarge2.dsc
to pool/main/b/backup-manager/backup-manager_0.5.7-1sarge2.dsc
backup-manager_0.5.7-1sarge2_all.deb
to pool/main/b/backup-manager/backup-manager_0.5.7-1sarge2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 439392@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated backup-manager package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 15 Mar 2008 22:30:05 +0100
Source: backup-manager
Binary: backup-manager
Architecture: source all
Version: 0.5.7-1sarge2
Distribution: oldstable-security
Urgency: high
Maintainer: Alexis Sukrieh <sukria@sukria.net>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description:
backup-manager - command-line backup tool for GNU Linux
Closes: 439392
Changes:
backup-manager (0.5.7-1sarge2) oldstable-security; urgency=high
.
* Non-maintainer upload by the security team.
* Fix FTP password disclosure during FTP uploads, based on
maintainer-supplied patch. Closes: #439392. CVE-2007-4656
Files:
fad99430055e40413827e477768dd077 923 admin optional backup-manager_0.5.7-1sarge2.dsc
4c33c9b8711ca3da4eb7f8f77214c26a 18510 admin optional backup-manager_0.5.7-1sarge2.diff.gz
05b3fbc927d4ca0e7823a5dca7a1b9b0 30740 admin optional backup-manager_0.5.7-1sarge2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBR9xCpmz0hbPcukPfAQI+Vwf7BaXpmmdC9lC7ILEXpnl23eYu0M7S5s7P
gXZVLdrxivBoegS4GLPI8H3IwCCGEr/QIFqZj2Bh3U9cbvii2jvAtsv7n0b1T6E/
CnRQPPNsIcCwFofmDnPeyHoK+6C8fE53H8mS4OuHFVkecSuIh40MHZ3w0n85Unuj
126nGQf1BFuFI4j2deq/6b9VcsYiqDyBqR1XT2MyThW0q1r6nW0UPG1PgaQsC2lN
5SH2fnsd2hJmArrJ/uh07ZqV1vRQgvrtk03+OFDJkJ0kHHwXaayE49R2F9dRWe29
suzkyUQYeKKGGiUGzqGuNMU6dr6RNagWKBsih2NALsLHx5Bp+UfaRQ==
=+krm
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 16 Mar 2009 10:32:50 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.