Debian Bug report logs - #442840
duplicity: exposes FTP password in command line args

version graph

Package: duplicity; Maintainer for duplicity is Alexander Zangerl <az@debian.org>; Source for duplicity is src:duplicity (PTS, buildd, popcon).

Reported by: Sam Morris <sam@robots.org.uk>

Date: Mon, 17 Sep 2007 09:54:02 UTC

Severity: grave

Tags: security

Found in version duplicity/0.4.3-1

Fixed in version duplicity/0.4.3-2

Done: Alexander Zangerl <az@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Alexander Zangerl <az@debian.org>:
Bug#442840; Package duplicity. (full text, mbox, link).


Acknowledgement sent to Sam Morris <sam@robots.org.uk>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Alexander Zangerl <az@debian.org>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Sam Morris <sam@robots.org.uk>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: duplicity: exposes FTP password in command line args
Date: Mon, 17 Sep 2007 10:52:22 +0100
Package: duplicity
Version: 0.4.3-1
Severity: grave
Tags: security
Justification: user security hole

Password details are passed to ncftp on the command line rather than via
a file descriptor, environment variable or some other method that would
keep the data private.

$ pgrep -fl ncftp
1153 sh -c ncftpput -F -t 30 -u 'ftpuser' -p 'ftppass' -V -c 'ftp.example.com' '2007-38/root/duplicity-full.2007-09-17T10:30:20+01:00.vol70.difftar.gpg' < '/tmp/duplicity.mTFZZY'
1154 ncftpput -F -t 30 -u ?         -p ?        -V -c ftp.example.com 2007-38/root/duplicity-full.2007-09-17T10:30:20+01:00.vol70.difftar.gpg

The same applies for the way ncftpls is invoked, and presumably also for
any other ncftp commands that are used.

According to the ncftpput man page:

	Using  the  -u and -p options are not recommended, because your account
	information is exposed to anyone who can see your shell script or  your
	process  information.   For example, someone using the ps program could
	see your password while the program runs.

	You may use the -f option instead to specify a file  with  the  account
	information.   However, this is still not secure because anyone who has
	read access to the information file can see  the  account  information.
	Nevertheless,  if  you choose to use the -f option the file should look
	something like this:

		   host sphygmomanometer.ncftp.com
		   user gleason
		   pass mypassword

	Don’t forget to change the permissions on this file so no one else  can
	read them.

So the correct way to use this option would be to call os.umask (077), then
create the file. It might even be better to create a FIFO and pass the details
in that way.

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (540, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-5-686
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)

Versions of packages duplicity depends on:
ii  gnupg                  1.4.6-2           GNU privacy guard - a free PGP rep
ii  libc6                  2.3.6.ds1-13etch2 GNU C Library: Shared libraries
ii  librsync1              0.9.7-1           Library which implements the rsync
ii  python                 2.4.4-2           An interactive high-level object-o
ii  python-central         0.5.12            register and build utility for Pyt
ii  python-gnupginterface  0.3.2-9           Python interface to GnuPG (GPG)
ii  python-pexpect         2.1-1             Python module for automating inter

duplicity recommends no packages.

-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org, Alexander Zangerl <az@debian.org>:
Bug#442840; Package duplicity. (full text, mbox, link).


Acknowledgement sent to Alexander Zangerl <az@snafu.priv.at>:
Extra info received and forwarded to list. Copy sent to Alexander Zangerl <az@debian.org>. (full text, mbox, link).


Message #10 received at 442840@bugs.debian.org (full text, mbox, reply):

From: Alexander Zangerl <az@snafu.priv.at>
To: Sam Morris <sam@robots.org.uk>, 442840@bugs.debian.org
Subject: Re: Bug#442840: duplicity: exposes FTP password in command line args
Date: Wed, 19 Sep 2007 13:33:32 +1000
[Message part 1 (text/plain, inline)]
On Mon, 17 Sep 2007 10:52:22 +0100, Sam Morris writes:
>Package: duplicity
>Version: 0.4.3-1
>Severity: grave
>Tags: security
>Justification: user security hole
>
>Password details are passed to ncftp on the command line rather than via
>a file descriptor, environment variable or some other method that would
>keep the data private.

thanks for spotting these two ftp-related bugs; a fix is forthcoming
and a new version will be uploaded tonight.

regards
az


-- 
+ Alexander Zangerl + DSA 42BD645D + (RSA 5B586291)
He who joyfully marches to music in rank and file has already earned my 
contempt. He has been given a large brain by mistake, since for him the 
spinal cord would fully suffice. -- Einstein
[signature.asc (application/pgp-signature, inline)]

Reply sent to Alexander Zangerl <az@debian.org>:
You have taken responsibility. (full text, mbox, link).


Notification sent to Sam Morris <sam@robots.org.uk>:
Bug acknowledged by developer. (full text, mbox, link).


Message #15 received at 442840-close@bugs.debian.org (full text, mbox, reply):

From: Alexander Zangerl <az@debian.org>
To: 442840-close@bugs.debian.org
Subject: Bug#442840: fixed in duplicity 0.4.3-2
Date: Wed, 19 Sep 2007 13:02:03 +0000
Source: duplicity
Source-Version: 0.4.3-2

We believe that the bug you reported is fixed in the latest version of
duplicity, which is due to be installed in the Debian FTP archive:

duplicity_0.4.3-2.diff.gz
  to pool/main/d/duplicity/duplicity_0.4.3-2.diff.gz
duplicity_0.4.3-2.dsc
  to pool/main/d/duplicity/duplicity_0.4.3-2.dsc
duplicity_0.4.3-2_i386.deb
  to pool/main/d/duplicity/duplicity_0.4.3-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 442840@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alexander Zangerl <az@debian.org> (supplier of updated duplicity package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 19 Sep 2007 22:36:04 +1000
Source: duplicity
Binary: duplicity
Architecture: source i386
Version: 0.4.3-2
Distribution: unstable
Urgency: low
Maintainer: Alexander Zangerl <az@debian.org>
Changed-By: Alexander Zangerl <az@debian.org>
Description: 
 duplicity  - encrypted bandwidth-efficient backup
Closes: 442834 442840
Changes: 
 duplicity (0.4.3-2) unstable; urgency=low
 .
   * now suggests ncftp (closes: #442834) and mentions that in NEWS.Debian
     i have decided that Recommends: is too strong here, as ftp is a lousy
     protocol which should be avoided as much as possible.
   * applied upstream fix for leaking ftp passphrases via the commandline
     (closes: #442840). the fix works only with ncftp version 3.2.1
     and newer, which means etch is out.
   * applied upstream patch for upstream-#21123, which fixes another
     ftp backend problem.
   * finally fixed the superfluous passphrase dialogs
   * tidied build process for easier integration into ubuntu, removing
     some unnecessary python version dependencies
   * applied upstream patch for upstream-#6211, restoring strict host key
     checks for the ssh backend.
Files: 
 7e1ad5f99de3369400431e50ca10311b 663 utils optional duplicity_0.4.3-2.dsc
 34a6811369247fd9a22060d658d4da57 10868 utils optional duplicity_0.4.3-2.diff.gz
 359eb545fec4f46c7a5855ded2782050 111726 utils optional duplicity_0.4.3-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG8RiIpy/2bEK9ZF0RAloGAJ9TIAusAX0V87UV2itKSqAvGgOl0QCfSKb1
UUh+lay1lmgTdSvCziF7qwk=
=f/qs
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 21 Oct 2007 07:27:31 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 03:05:27 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.