Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Alexander Zangerl <az@debian.org>: Bug#442840; Package duplicity.
(full text, mbox, link).
Acknowledgement sent to Sam Morris <sam@robots.org.uk>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Alexander Zangerl <az@debian.org>.
(full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: duplicity: exposes FTP password in command line args
Date: Mon, 17 Sep 2007 10:52:22 +0100
Package: duplicity
Version: 0.4.3-1
Severity: grave
Tags: security
Justification: user security hole
Password details are passed to ncftp on the command line rather than via
a file descriptor, environment variable or some other method that would
keep the data private.
$ pgrep -fl ncftp
1153 sh -c ncftpput -F -t 30 -u 'ftpuser' -p 'ftppass' -V -c 'ftp.example.com' '2007-38/root/duplicity-full.2007-09-17T10:30:20+01:00.vol70.difftar.gpg' < '/tmp/duplicity.mTFZZY'
1154 ncftpput -F -t 30 -u ? -p ? -V -c ftp.example.com 2007-38/root/duplicity-full.2007-09-17T10:30:20+01:00.vol70.difftar.gpg
The same applies for the way ncftpls is invoked, and presumably also for
any other ncftp commands that are used.
According to the ncftpput man page:
Using the -u and -p options are not recommended, because your account
information is exposed to anyone who can see your shell script or your
process information. For example, someone using the ps program could
see your password while the program runs.
You may use the -f option instead to specify a file with the account
information. However, this is still not secure because anyone who has
read access to the information file can see the account information.
Nevertheless, if you choose to use the -f option the file should look
something like this:
host sphygmomanometer.ncftp.com
user gleason
pass mypassword
Don’t forget to change the permissions on this file so no one else can
read them.
So the correct way to use this option would be to call os.umask (077), then
create the file. It might even be better to create a FIFO and pass the details
in that way.
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (540, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-5-686
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Versions of packages duplicity depends on:
ii gnupg 1.4.6-2 GNU privacy guard - a free PGP rep
ii libc6 2.3.6.ds1-13etch2 GNU C Library: Shared libraries
ii librsync1 0.9.7-1 Library which implements the rsync
ii python 2.4.4-2 An interactive high-level object-o
ii python-central 0.5.12 register and build utility for Pyt
ii python-gnupginterface 0.3.2-9 Python interface to GnuPG (GPG)
ii python-pexpect 2.1-1 Python module for automating inter
duplicity recommends no packages.
-- no debconf information
Information forwarded to debian-bugs-dist@lists.debian.org, Alexander Zangerl <az@debian.org>: Bug#442840; Package duplicity.
(full text, mbox, link).
Acknowledgement sent to Alexander Zangerl <az@snafu.priv.at>:
Extra info received and forwarded to list. Copy sent to Alexander Zangerl <az@debian.org>.
(full text, mbox, link).
On Mon, 17 Sep 2007 10:52:22 +0100, Sam Morris writes:
>Package: duplicity
>Version: 0.4.3-1
>Severity: grave
>Tags: security
>Justification: user security hole
>
>Password details are passed to ncftp on the command line rather than via
>a file descriptor, environment variable or some other method that would
>keep the data private.
thanks for spotting these two ftp-related bugs; a fix is forthcoming
and a new version will be uploaded tonight.
regards
az
--
+ Alexander Zangerl + DSA 42BD645D + (RSA 5B586291)
He who joyfully marches to music in rank and file has already earned my
contempt. He has been given a large brain by mistake, since for him the
spinal cord would fully suffice. -- Einstein
Source: duplicity
Source-Version: 0.4.3-2
We believe that the bug you reported is fixed in the latest version of
duplicity, which is due to be installed in the Debian FTP archive:
duplicity_0.4.3-2.diff.gz
to pool/main/d/duplicity/duplicity_0.4.3-2.diff.gz
duplicity_0.4.3-2.dsc
to pool/main/d/duplicity/duplicity_0.4.3-2.dsc
duplicity_0.4.3-2_i386.deb
to pool/main/d/duplicity/duplicity_0.4.3-2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 442840@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alexander Zangerl <az@debian.org> (supplier of updated duplicity package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 19 Sep 2007 22:36:04 +1000
Source: duplicity
Binary: duplicity
Architecture: source i386
Version: 0.4.3-2
Distribution: unstable
Urgency: low
Maintainer: Alexander Zangerl <az@debian.org>
Changed-By: Alexander Zangerl <az@debian.org>
Description:
duplicity - encrypted bandwidth-efficient backup
Closes: 442834442840
Changes:
duplicity (0.4.3-2) unstable; urgency=low
.
* now suggests ncftp (closes: #442834) and mentions that in NEWS.Debian
i have decided that Recommends: is too strong here, as ftp is a lousy
protocol which should be avoided as much as possible.
* applied upstream fix for leaking ftp passphrases via the commandline
(closes: #442840). the fix works only with ncftp version 3.2.1
and newer, which means etch is out.
* applied upstream patch for upstream-#21123, which fixes another
ftp backend problem.
* finally fixed the superfluous passphrase dialogs
* tidied build process for easier integration into ubuntu, removing
some unnecessary python version dependencies
* applied upstream patch for upstream-#6211, restoring strict host key
checks for the ssh backend.
Files:
7e1ad5f99de3369400431e50ca10311b 663 utils optional duplicity_0.4.3-2.dsc
34a6811369247fd9a22060d658d4da57 10868 utils optional duplicity_0.4.3-2.diff.gz
359eb545fec4f46c7a5855ded2782050 111726 utils optional duplicity_0.4.3-2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFG8RiIpy/2bEK9ZF0RAloGAJ9TIAusAX0V87UV2itKSqAvGgOl0QCfSKb1
UUh+lay1lmgTdSvCziF7qwk=
=f/qs
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 21 Oct 2007 07:27:31 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.