Debian Bug report logs - #445582
ldapscripts shows passwords in the clear on the command line

version graph

Package: ldapscripts; Maintainer for ldapscripts is Alexander GQ Gerasiov <gq@debian.org>; Source for ldapscripts is src:ldapscripts.

Reported by: Don Armstrong <don@donarmstrong.com>

Date: Sun, 7 Oct 2007 04:06:01 UTC

Severity: serious

Tags: security

Found in version ldapscripts/1.4-2

Fixed in versions ldapscripts/1.7.1-2, ldapscripts/1.4-2etch1

Done: Thijs Kinkhorst <thijs@debian.org>

Bug is archived. No further changes may be made.

Forwarded to ganael.laplanche@martymac.com

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Pierre Habouzit <madcoder@debian.org>:
Bug#445582; Package ldapscripts. Full text and rfc822 format available.

Acknowledgement sent to Don Armstrong <don@donarmstrong.com>:
New Bug report received and forwarded. Copy sent to Pierre Habouzit <madcoder@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Don Armstrong <don@donarmstrong.com>
To: submit@bugs.debian.org
Subject: ldapscripts shows passwords in the clear on the command line
Date: Sat, 6 Oct 2007 20:54:43 -0700
Package: ldapscripts
Severity: serious
Version: 1.4-2
Tag: security

Unless you're running grsecurity or some other patched kernel, the
following cannot be good:

_changepassword () {
  if [ -z "$1" ] || [ -z "$2" ]
  then
    end_die "_changepassword : missing argument(s)"
  else
    if is_yes "$RECORDPASSWORDS"
    then
      echo "$2 : $1" >> "$PASSWORDFILE"
    fi
    $LDAPPASSWDBIN -w "$BINDPWD" -D "$BINDDN" -xH "ldap://$SERVER" -s "$1" "$2" 2>>"$LOGFILE" 1>/dev/null
  fi
}


Don Armstrong

-- 
This message brought to you by weapons of mass destruction related
program activities, and the letter G.

http://www.donarmstrong.com              http://rzlab.ucr.edu




Tags added: security Request was from Don Armstrong <don@debian.org> to control@bugs.debian.org. (Sun, 07 Oct 2007 04:18:01 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#445582; Package ldapscripts. Full text and rfc822 format available.

Acknowledgement sent to Pierre Habouzit <madcoder@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #12 received at 445582@bugs.debian.org (full text, mbox):

From: Pierre Habouzit <madcoder@debian.org>
To: 445582@bugs.debian.org
Cc: ganael.laplanche@martymac.com, control@bugs.debian.org
Subject: Re: Bug#445582: ldapscripts shows passwords in the clear on the command line
Date: Mon, 08 Oct 2007 14:10:21 +0200
[Message part 1 (text/plain, inline)]
forwarded 445582 ganael.laplanche@martymac.com
thanks

FYI:

On Sun, Oct 07, 2007 at 03:54:43AM +0000, Don Armstrong wrote:
> Package: ldapscripts
> Severity: serious
> Version: 1.4-2
> Tag: security
> 
> Unless you're running grsecurity or some other patched kernel, the
> following cannot be good:
> 
> _changepassword () {
>   if [ -z "$1" ] || [ -z "$2" ]
>   then
>     end_die "_changepassword : missing argument(s)"
>   else
>     if is_yes "$RECORDPASSWORDS"
>     then
>       echo "$2 : $1" >> "$PASSWORDFILE"
>     fi
>     $LDAPPASSWDBIN -w "$BINDPWD" -D "$BINDDN" -xH "ldap://$SERVER" -s "$1" "$2" 2>>"$LOGFILE" 1>/dev/null
>   fi
> }

  The issue may appear in other places in your code (there is e.g. some
unsafe seds calls). Though I must say I don't really know how to fix
this minimally.

-- 
·O·  Pierre Habouzit
··O                                                madcoder@debian.org
OOO                                                http://www.madism.org
[Message part 2 (application/pgp-signature, inline)]

Noted your statement that Bug has been forwarded to ganael.laplanche@martymac.com. Request was from Pierre Habouzit <madcoder@debian.org> to control@bugs.debian.org. (Mon, 08 Oct 2007 12:18:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Pierre Habouzit <madcoder@debian.org>:
Bug#445582; Package ldapscripts. Full text and rfc822 format available.

Acknowledgement sent to "Stefan Cornelius" <stefan.cornelius@gmail.com>:
Extra info received and forwarded to list. Copy sent to Pierre Habouzit <madcoder@debian.org>. Full text and rfc822 format available.

Message #19 received at 445582@bugs.debian.org (full text, mbox):

From: "Stefan Cornelius" <stefan.cornelius@gmail.com>
To: 445582@bugs.debian.org
Subject: Re: Bug#445582: ldapscripts shows passwords in the clear on the command line
Date: Mon, 8 Oct 2007 14:33:06 +0200
[Message part 1 (text/plain, inline)]
 Hi,

> The issue may appear in other places in your code (there is e.g. some
> unsafe seds calls). Though I must say I don't really know how to fix
> this minimally.

my non-debian man page says:
-y passwdfile
Use complete contents of passwdfile as the password for simple
authentication.

That and a temporary file with correct permissions should do the job here?
Haven't looked at the unsafe seds calls, though.

Kind regards,
Stefan
[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Pierre Habouzit <madcoder@debian.org>:
Bug#445582; Package ldapscripts. Full text and rfc822 format available.

Acknowledgement sent to "Stefan Cornelius" <stefan.cornelius@gmail.com>:
Extra info received and forwarded to list. Copy sent to Pierre Habouzit <madcoder@debian.org>. Full text and rfc822 format available.

Message #24 received at 445582@bugs.debian.org (full text, mbox):

From: "Stefan Cornelius" <stefan.cornelius@gmail.com>
To: 445582@bugs.debian.org
Subject: Re: Bug#445582: Info received (Bug#445582: ldapscripts shows passwords in the clear on the command line)
Date: Mon, 8 Oct 2007 14:59:10 +0200
[Message part 1 (text/plain, inline)]
 Oops, disregard my previous message. Seems like I was a bit trigger happy
and mixed it up with the -T parameter?

-T newPasswdFile
Set the new password to the contents of newPasswdFile.

I managed to confuse myself right
now and I'm not even sure if any of these params are OK at all. So better
don't listen to me, sorry.
[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#445582; Package ldapscripts. Full text and rfc822 format available.

Acknowledgement sent to Pierre Habouzit <madcoder@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #29 received at 445582@bugs.debian.org (full text, mbox):

From: Pierre Habouzit <madcoder@debian.org>
To: Stefan Cornelius <stefan.cornelius@gmail.com>, 445582@bugs.debian.org
Subject: Re: Bug#445582: ldapscripts shows passwords in the clear on the command line
Date: Mon, 08 Oct 2007 15:06:14 +0200
[Message part 1 (text/plain, inline)]
On Mon, Oct 08, 2007 at 12:33:06PM +0000, Stefan Cornelius wrote:
>  Hi,
> 
> > The issue may appear in other places in your code (there is e.g. some
> > unsafe seds calls). Though I must say I don't really know how to fix
> > this minimally.
> 
> my non-debian man page says:
> -y passwdfile
> Use complete contents of passwdfile as the password for simple
> authentication.
> 
> That and a temporary file with correct permissions should do the job here?
> Haven't looked at the unsafe seds calls, though.

  for the ldappasswd yes it can work this way (mkstemp will give the
proper file, with the proper perms). FOr the sed calls it's less easy.

  I've not the time to fix that right now though.

-- 
·O·  Pierre Habouzit
··O                                                madcoder@debian.org
OOO                                                http://www.madism.org
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#445582; Package ldapscripts. Full text and rfc822 format available.

Acknowledgement sent to Pierre Habouzit <madcoder@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #34 received at 445582@bugs.debian.org (full text, mbox):

From: Pierre Habouzit <madcoder@debian.org>
To: Ganael LAPLANCHE <ganael.laplanche@martymac.com>
Subject: Re: Bug#445582: ldapscripts shows passwords in the clear on the command line
Date: Mon, 08 Oct 2007 18:04:49 +0200
[Message part 1 (text/plain, inline)]
On Mon, Oct 08, 2007 at 02:57:42PM +0000, Ganael LAPLANCHE wrote:
> On Mon, 08 Oct 2007 14:10:21 +0200, Pierre Habouzit wrote
> 
> Hi Pierre,
> 
> > > Unless you're running grsecurity or some other patched kernel, the
> > > following cannot be good:
> > > 
> > >     $LDAPPASSWDBIN -w "$BINDPWD" -D "$BINDDN" -xH "ldap://$SERVER" -s "$1"
> > > "$2" 2>>"$LOGFILE" 1>/dev/null
> 
> Thanks for the forward.
> 
> Two passwords appear in clear-text format here : $BINDPWD (the one used for any
> ldapscripts connection) and $1 (the new one, to be changed for a given user).
> The first one appears in any function defined in the runtime file (easy to grep
> : BINDPWD), the second one is only used in _changepassword() to change a user's
> password.
> 
> Is it a matter of making the first one appear ? The second one, or both ? I
> understand these security issues, but my opinion is the scripts should only be
> used by a small set of users (e.g. *very* limited rx access to a specific
> user/group for config, runtime and script files). Since the password (at least
> the one used for binding) has to be sent clear-text to the LDAP directory, it
> has to be stored clear-text somewhere locally, and thus, any allowed user can
> source the conf file. I'm not sure storing it in a temp file would solve the
> problem...
> 
> Any further explanation of the problem is welcome since I am not sure to
> understand the problem correctly...

  The issue is that when the commands are run, the arguments can be seen
in clear text in `ps aux` output.

  So not only that script has the issue, the parts where you sed -e
"s/<password>/$PASSWORD/g" are vulnerable too.

  I understand the issue is not that obvious to fix, but this is an
issue in a multiuser environment, even if small (in my company we use
ldap, we don't want our interns to run busy psaux loops to steal the
ldap password …).

-- 
·O·  Pierre Habouzit
··O                                                madcoder@debian.org
OOO                                                http://www.madism.org
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Pierre Habouzit <madcoder@debian.org>:
Bug#445582; Package ldapscripts. Full text and rfc822 format available.

Acknowledgement sent to "Ganael LAPLANCHE" <ganael.laplanche@martymac.com>:
Extra info received and forwarded to list. Copy sent to Pierre Habouzit <madcoder@debian.org>. Full text and rfc822 format available.

Message #39 received at 445582@bugs.debian.org (full text, mbox):

From: "Ganael LAPLANCHE" <ganael.laplanche@martymac.com>
To: Pierre Habouzit <madcoder@debian.org>
Cc: 445582@bugs.debian.org
Subject: Re: Bug#445582: ldapscripts shows passwords in the clear on the command line
Date: Mon, 8 Oct 2007 19:52:29 +0200 (CEST)
On Mon, 08 Oct 2007 18:04:49 +0200, Pierre Habouzit wrote
>   The issue is that when the commands are run, the arguments can be 
> seen in clear text in `ps aux` output.
> 
>   So not only that script has the issue, the parts where you sed -e
> "s/<password>/$PASSWORD/g" are vulnerable too.

Hi again Pierre,

Yes, this is a really *big* issue. This is why one should prevent users to see
processes running with another uid and/or gid (e.g.
security.bsd.see_other_[u|g]ids sysctls on FreeBSD and hardened kernels on
GNU/Linux) !

Unfortunalety, this is not always possible and there is no simple way to fix
this flaw. Note this is not related to the ldapscripts : any admin running a
'standard' ldapadd command (or ldapmodify, ...) with the -w switch will
encounter the same problem.

I'll try to have a look at it. The idea of a file containing the passwd could be
good... Any other idea is welcome :)

Best regards,

Ganaël LAPLANCHE
ganael.laplanche@martymac.com
http://www.martymac.com




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#445582; Package ldapscripts. Full text and rfc822 format available.

Acknowledgement sent to Pierre Habouzit <madcoder@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #44 received at 445582@bugs.debian.org (full text, mbox):

From: Pierre Habouzit <madcoder@debian.org>
To: Ganael LAPLANCHE <ganael.laplanche@martymac.com>
Cc: 445582@bugs.debian.org
Subject: Re: Bug#445582: ldapscripts shows passwords in the clear on the command line
Date: Mon, 08 Oct 2007 20:02:42 +0200
[Message part 1 (text/plain, inline)]
On Mon, Oct 08, 2007 at 05:52:29PM +0000, Ganael LAPLANCHE wrote:
> On Mon, 08 Oct 2007 18:04:49 +0200, Pierre Habouzit wrote
> >   The issue is that when the commands are run, the arguments can be 
> > seen in clear text in `ps aux` output.
> > 
> >   So not only that script has the issue, the parts where you sed -e
> > "s/<password>/$PASSWORD/g" are vulnerable too.
> 
> Hi again Pierre,
> 
> Yes, this is a really *big* issue. This is why one should prevent users to see
> processes running with another uid and/or gid (e.g.
> security.bsd.see_other_[u|g]ids sysctls on FreeBSD and hardened kernels on
> GNU/Linux) !
> 
> Unfortunalety, this is not always possible and there is no simple way to fix
> this flaw. Note this is not related to the ldapscripts : any admin running a
> 'standard' ldapadd command (or ldapmodify, ...) with the -w switch will
> encounter the same problem.
> 
> I'll try to have a look at it. The idea of a file containing the passwd could be
> good... Any other idea is welcome :)

  IMHO the best fix is to have in your "runtime" file sth like:

$SAFE_TMPDIR=`mktemp -d` || die "unable to create safe temporary directory"
trap "rm -rf $SAFE_TMPDIR" 0

  This way, when any script ends, all the temporary safe directory gets
removed.

  Then you can create whichever file you want, even using predefined
filenames if you want to. sed and ldappasswd are both able to read their
commands in a file. Also one could argue that "echo $PASSWD" is safe in
many shells where echo is a builtin.

You could ensure that it's the case using:

if ! (type echo || die "shell has no 'type' builtin") | grep -q builtin; then
    die "echo is not a builtin, ldapscripts won't be safe"
fi

  I tried in bash, dash, posh and zsh. it detects properly that posh
isn't suitable.

So that you can build the sed scripts using:
  echo "$PASSWORD" >> foo.sed
in a safe way.

-- 
·O·  Pierre Habouzit
··O                                                madcoder@debian.org
OOO                                                http://www.madism.org
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Pierre Habouzit <madcoder@debian.org>:
Bug#445582; Package ldapscripts. Full text and rfc822 format available.

Acknowledgement sent to "Ganael LAPLANCHE" <ganael.laplanche@martymac.com>:
Extra info received and forwarded to list. Copy sent to Pierre Habouzit <madcoder@debian.org>. Full text and rfc822 format available.

Message #49 received at 445582@bugs.debian.org (full text, mbox):

From: "Ganael LAPLANCHE" <ganael.laplanche@martymac.com>
To: Pierre Habouzit <madcoder@debian.org>, Ganael LAPLANCHE <ganael.laplanche@martymac.com>
Cc: 445582@bugs.debian.org
Subject: Re: Bug#445582: ldapscripts shows passwords in the clear on the command line
Date: Wed, 10 Oct 2007 20:03:02 +0200 (CEST)
On Mon, 08 Oct 2007 20:02:42 +0200, Pierre Habouzit wrote

> IMHO the best fix is to have in your "runtime" file sth like:
> [...]

Hi again Pierre,

I am still working on patching the scripts. This will lead to a 'security
release' named 1.7.1, quite soon (I hope).

Binding is Ok, I will use a file containing the password (no more $BINDPWD
variable) and ldap commands' -y option. Anyway, I still think this 'flaw' should
also be patched at openldap level when possible (setproctitle(3)).

I still wonder if it is a good idea to use a temporary file for sed scripts.
Trap is good, but what if the server crashes ? Is it better to be able to watch
sed expressions during a few seconds with ps or to leave orphan temporary files
on the disk forever ? Any idea ?

Best regards,

Ganaël LAPLANCHE
ganael.laplanche@martymac.com
http://www.martymac.com




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#445582; Package ldapscripts. Full text and rfc822 format available.

Acknowledgement sent to Pierre Habouzit <madcoder@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #54 received at 445582@bugs.debian.org (full text, mbox):

From: Pierre Habouzit <madcoder@debian.org>
To: Ganael LAPLANCHE <ganael.laplanche@martymac.com>
Cc: 445582@bugs.debian.org
Subject: Re: Bug#445582: ldapscripts shows passwords in the clear on the command line
Date: Wed, 10 Oct 2007 20:55:04 +0200
[Message part 1 (text/plain, inline)]
On Wed, Oct 10, 2007 at 06:03:02PM +0000, Ganael LAPLANCHE wrote:
> On Mon, 08 Oct 2007 20:02:42 +0200, Pierre Habouzit wrote
> 
> > IMHO the best fix is to have in your "runtime" file sth like:
> > [...]
> 
> Hi again Pierre,
> 
> I am still working on patching the scripts. This will lead to a 'security
> release' named 1.7.1, quite soon (I hope).
> 
> Binding is Ok, I will use a file containing the password (no more $BINDPWD
> variable) and ldap commands' -y option. Anyway, I still think this 'flaw' should
> also be patched at openldap level when possible (setproctitle(3)).
> 
> I still wonder if it is a good idea to use a temporary file for sed scripts.
> Trap is good, but what if the server crashes ? Is it better to be able to watch
> sed expressions during a few seconds with ps or to leave orphan temporary files
> on the disk forever ? Any idea ?

  If the server crash, then it will be rebooted, and /tmp is cleansed at
boot time, so no worries here.

-- 
·O·  Pierre Habouzit
··O                                                madcoder@debian.org
OOO                                                http://www.madism.org
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Pierre Habouzit <madcoder@debian.org>:
Bug#445582; Package ldapscripts. Full text and rfc822 format available.

Acknowledgement sent to "Ganael LAPLANCHE" <ganael.laplanche@martymac.com>:
Extra info received and forwarded to list. Copy sent to Pierre Habouzit <madcoder@debian.org>. Full text and rfc822 format available.

Message #59 received at 445582@bugs.debian.org (full text, mbox):

From: "Ganael LAPLANCHE" <ganael.laplanche@martymac.com>
To: Pierre Habouzit <madcoder@debian.org>, Ganael LAPLANCHE <ganael.laplanche@martymac.com>
Cc: 445582@bugs.debian.org
Subject: Re: Bug#445582: ldapscripts shows passwords in the clear on the command line
Date: Thu, 11 Oct 2007 08:32:52 +0200 (CEST)
On Wed, 10 Oct 2007 20:55:04 +0200, Pierre Habouzit wrote

> If the server crash, then it will be rebooted, and /tmp is cleansed 
> at boot time, so no worries here.

Well, it depends on your system and how it is configured... But I agree, such a
situation (crash /while/ using the script + /tmp not cleansed) may happen quite
rarely.

Ganaël LAPLANCHE
ganael.laplanche@martymac.com
http://www.martymac.com





Information forwarded to debian-bugs-dist@lists.debian.org, Pierre Habouzit <madcoder@debian.org>:
Bug#445582; Package ldapscripts. Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Pierre Habouzit <madcoder@debian.org>. Full text and rfc822 format available.

Message #64 received at 445582@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: 445582@bugs.debian.org
Subject: CVE-2007-5373 issued
Date: Fri, 12 Oct 2007 22:18:09 +1000
[Message part 1 (text/plain, inline)]
Hi

There has been a CVE[0] issued for this bug. Please add a line to your 
changelog file, when you close this bug by an upload and state that it fixes 
the CVE.
Thanks in advance.

Cheers
Steffen

[0]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5373
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Pierre Habouzit <madcoder@debian.org>:
Bug#445582; Package ldapscripts. Full text and rfc822 format available.

Acknowledgement sent to "Ganael LAPLANCHE" <ganael.laplanche@martymac.com>:
Extra info received and forwarded to list. Copy sent to Pierre Habouzit <madcoder@debian.org>. Full text and rfc822 format available.

Message #69 received at 445582@bugs.debian.org (full text, mbox):

From: "Ganael LAPLANCHE" <ganael.laplanche@martymac.com>
To: "Ganael LAPLANCHE" <ganael.laplanche@martymac.com>, Pierre Habouzit <madcoder@debian.org>, Ganael LAPLANCHE <ganael.laplanche@martymac.com>
Cc: 445582@bugs.debian.org
Subject: Re: Bug#445582: ldapscripts shows passwords in the clear on the command line
Date: Sat, 13 Oct 2007 13:37:25 +0200 (CEST)
On Thu, 11 Oct 2007 08:32:52 +0200 (CEST), Ganael LAPLANCHE wrote

Hi everybody,

ldapscripts v1.7.1 are now available and fix these issues.

Here is the CHANGELOG :

------------
2007/10/13 : ldapscripts 1.7.1
  - Fixes for CVE-2007-5373
    see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5373
    and http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=445582

    1) Up to now, each ldap* command was called with the -w parameter, which
allows to
      specify the bind password on the command line. Unfortunately, this could
make the
      password appear to anybody performing a `ps` during the call. This is now
avoided
      by using the -y parameter and a password file.

      -> A new BINDPWDFILE option has been added : it specifies the path to the bind
      password file. This file can be created by something like :
      'echo -n 'password' > $BINDPWDFILE' and you can now safely remove (or
comment) the
      BINDPWD parameter from your configuration file.

    2) Changing a user password could also reveal the new password on the
command line,
      because of the use of ldappasswd's -s option. This has been fixed by using
a temporary
      file containing the new password (and ldappassword's -T option).

      -> [internals] New mktempf() and reltempf() functions have been added

    [For older versions of OpenLDAP, -y and -T parameters may not be available.
It is still
    possible to use the old BINDPWD parameter. Just uncomment it from the
configuration file
    and comment the BINDPWDFILE parameter (which takes precedence over BINDPWD). The
    ldapscripts will just behave as previously and use inline -w and -s
parameters, warning
    you this is not secure way of running them.]

    3) A similar problem related to sed expressions has been found : it may also
lead to
      reveal a user's password to `ps` users. This is now fixed by using
temporary files
      containing sed expressions (and sed's -f option).

    4) A new test has been added to check if 'echo' and '[' are built-in or not.
If not,
      you'll be warned that the ldapscripts may not be safe to use (because
these commands
      manipulate passwords when creating temporary files).

      -> [internals] New is_builtin() function

    Note that these flaws depend largely on your kernel configuration : hardened
kernels
    should not be impacted (e.g. if you use security.bsd.see_other_[u|g]ids
sysctls on
    FreeBSD). It may also depend on the version of OpenLDAP client commands you run.

    Thanks a lot to Don and Madcoder for their help !

  - Few fixes to avoid using non-standard 'if ! command's...
------------

Thanks a lot for your help in finding these issues ! (and don't hesitate to come
back to me again if you find other problems related to the scripts)

Best regards,

Ganaël LAPLANCHE
ganael.laplanche@martymac.com
http://www.martymac.com





Information forwarded to debian-bugs-dist@lists.debian.org, Pierre Habouzit <madcoder@debian.org>:
Bug#445582; Package ldapscripts. Full text and rfc822 format available.

Acknowledgement sent to "Ganael LAPLANCHE" <ganael.laplanche@martymac.com>:
Extra info received and forwarded to list. Copy sent to Pierre Habouzit <madcoder@debian.org>. Full text and rfc822 format available.

Message #74 received at 445582@bugs.debian.org (full text, mbox):

From: "Ganael LAPLANCHE" <ganael.laplanche@martymac.com>
To: Pierre Habouzit <madcoder@debian.org>
Cc: 445582@bugs.debian.org
Subject: Re: Bug#445582: ldapscripts shows passwords in the clear on the command line
Date: Sat, 13 Oct 2007 13:42:50 +0200 (CEST)
On Sat, 13 Oct 2007 13:37:25 +0200 (CEST), Ganael LAPLANCHE wrote
> On Thu, 11 Oct 2007 08:32:52 +0200 (CEST), Ganael LAPLANCHE wrote
> 
> Hi everybody,
> 
> ldapscripts v1.7.1 are now available and fix these issues.

Woops, sorry I forgot to tell where the update is available :

http://contribs.martymac.com/ldapscripts/ldapscripts-1.7.1.tgz
http://www.sourceforge.net/projects/ldapscripts

Best regards,

Ganaël LAPLANCHE
ganael.laplanche@martymac.com
http://www.martymac.com





Information forwarded to debian-bugs-dist@lists.debian.org, Pierre Habouzit <madcoder@debian.org>:
Bug#445582; Package ldapscripts. Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Pierre Habouzit <madcoder@debian.org>. Full text and rfc822 format available.

Message #79 received at 445582@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: 445582@bugs.debian.org
Cc: ganael.laplanche@martymac.com
Subject: Re: Bug#445582: ldapscripts shows passwords in the clear on the command line
Date: Sun, 21 Oct 2007 18:16:49 +1000
[Message part 1 (text/plain, inline)]
Hi

Today, I had a look at the new upstream version 1.7.1, in order to fix 
unstable and testing. Thew new upstream version uses a function called 
mktempf () . There you generate the tempfile. However, you do not use 
the "mktemp" program. I did not try it so far, but I think that it is 
possible to guess the temp file, because you use 
_TMPFILE="$TMPDIR/`basename $0`.`date '+%Y%m%d-%H%M%S'`.$$"

I would suggest using mktemp instead, which creates unique temporary 
filenames, which cannot be guessed.

Cheers
Steffen
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#445582; Package ldapscripts. Full text and rfc822 format available.

Acknowledgement sent to Pierre Habouzit <madcoder@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #84 received at 445582@bugs.debian.org (full text, mbox):

From: Pierre Habouzit <madcoder@debian.org>
To: Steffen Joeris <steffen.joeris@skolelinux.de>, 445582@bugs.debian.org
Cc: ganael.laplanche@martymac.com
Subject: Re: Bug#445582: ldapscripts shows passwords in the clear on the command line
Date: Sun, 21 Oct 2007 10:15:14 +0200
[Message part 1 (text/plain, inline)]
On Sun, Oct 21, 2007 at 08:16:49AM +0000, Steffen Joeris wrote:
> Hi
> 
> Today, I had a look at the new upstream version 1.7.1, in order to fix 
> unstable and testing. Thew new upstream version uses a function called 
> mktempf () . There you generate the tempfile. However, you do not use 
> the "mktemp" program. I did not try it so far, but I think that it is 
> possible to guess the temp file, because you use 
> _TMPFILE="$TMPDIR/`basename $0`.`date '+%Y%m%d-%H%M%S'`.$$"
> 
> I would suggest using mktemp instead, which creates unique temporary 
> filenames, which cannot be guessed.

  what would be the point ? $TMPDIR is 0700.
> 
> Cheers
> Steffen



-- 
·O·  Pierre Habouzit
··O                                                madcoder@debian.org
OOO                                                http://www.madism.org
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Pierre Habouzit <madcoder@debian.org>:
Bug#445582; Package ldapscripts. Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Pierre Habouzit <madcoder@debian.org>. Full text and rfc822 format available.

Message #89 received at 445582@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: Pierre Habouzit <madcoder@debian.org>
Cc: 445582@bugs.debian.org, ganael.laplanche@martymac.com
Subject: Re: Bug#445582: ldapscripts shows passwords in the clear on the command line
Date: Sun, 21 Oct 2007 18:33:19 +1000
[Message part 1 (text/plain, inline)]
Hi

> > I would suggest using mktemp instead, which creates unique temporary
> > filenames, which cannot be guessed.
>
>   what would be the point ? $TMPDIR is 0700.
Bah, I overlooked the umask call. Thanks for the pointer.

Cheers
Steffen
[signature.asc (application/pgp-signature, inline)]

Reply sent to Pierre Habouzit <madcoder@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Don Armstrong <don@donarmstrong.com>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #94 received at 445582-close@bugs.debian.org (full text, mbox):

From: Pierre Habouzit <madcoder@debian.org>
To: 445582-close@bugs.debian.org
Subject: Bug#445582: fixed in ldapscripts 1.7.1-2
Date: Mon, 22 Oct 2007 07:17:03 +0000
Source: ldapscripts
Source-Version: 1.7.1-2

We believe that the bug you reported is fixed in the latest version of
ldapscripts, which is due to be installed in the Debian FTP archive:

ldapscripts_1.7.1-2.diff.gz
  to pool/main/l/ldapscripts/ldapscripts_1.7.1-2.diff.gz
ldapscripts_1.7.1-2.dsc
  to pool/main/l/ldapscripts/ldapscripts_1.7.1-2.dsc
ldapscripts_1.7.1-2_all.deb
  to pool/main/l/ldapscripts/ldapscripts_1.7.1-2_all.deb
ldapscripts_1.7.1.orig.tar.gz
  to pool/main/l/ldapscripts/ldapscripts_1.7.1.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 445582@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Pierre Habouzit <madcoder@debian.org> (supplier of updated ldapscripts package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 21 Oct 2007 12:27:03 +0200
Source: ldapscripts
Binary: ldapscripts
Architecture: source all
Version: 1.7.1-2
Distribution: unstable
Urgency: low
Maintainer: Pierre Habouzit <madcoder@debian.org>
Changed-By: Pierre Habouzit <madcoder@debian.org>
Description: 
 ldapscripts - Add and remove user and groups (stored in a ldap directory)
Closes: 324296 340785 405755 445582 445582
Changes: 
 ldapscripts (1.7.1-2) unstable; urgency=low
 .
   * New upstream release:
      + Has the fix for CVE-2007-5373 (Closes: #445582).
      + User can now modify ldiff skeleton (Closes: #405755).
   * Make upstream support DESTDIR in its makefile.
Files: 
 3221f002dedbc2a6bd5d751d91856ff9 588 admin optional ldapscripts_1.7.1-2.dsc
 33cc2ef99cc70d9dc9a89a1955aa765c 26149 admin optional ldapscripts_1.7.1.orig.tar.gz
 7658935e186d1d82f6ddc9d8c3674f19 11821 admin optional ldapscripts_1.7.1-2.diff.gz
 cddcfdda05c754a7021f8e17279ad2a3 39342 admin optional ldapscripts_1.7.1-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHHEzQvGr7W6HudhwRAn18AJ0aNHfnFeYIh2UXhdFACAj4XNudBQCgjsUz
esWKx2juQKMitKCG8bPsiG0=
=SmVn
-----END PGP SIGNATURE-----





Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Don Armstrong <don@donarmstrong.com>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #99 received at 445582-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 445582-close@bugs.debian.org
Subject: Bug#445582: fixed in ldapscripts 1.4-2etch1
Date: Fri, 11 Apr 2008 19:53:24 +0000
Source: ldapscripts
Source-Version: 1.4-2etch1

We believe that the bug you reported is fixed in the latest version of
ldapscripts, which is due to be installed in the Debian FTP archive:

ldapscripts_1.4-2etch1.diff.gz
  to pool/main/l/ldapscripts/ldapscripts_1.4-2etch1.diff.gz
ldapscripts_1.4-2etch1.dsc
  to pool/main/l/ldapscripts/ldapscripts_1.4-2etch1.dsc
ldapscripts_1.4-2etch1_all.deb
  to pool/main/l/ldapscripts/ldapscripts_1.4-2etch1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 445582@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated ldapscripts package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 15 Mar 2008 22:03:09 +0100
Source: ldapscripts
Binary: ldapscripts
Architecture: source all
Version: 1.4-2etch1
Distribution: stable-security
Urgency: high
Maintainer: Pierre Habouzit <madcoder@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 ldapscripts - Add and remove user and groups (stored in a ldap directory)
Closes: 445582
Changes: 
 ldapscripts (1.4-2etch1) stable-security; urgency=high
 .
   * Non-maintainer upload by the security team
   * Fix information disclosure (password used on command line) with
     upstream patch. Closes: #445582. CVE-2007-5373
Files: 
 dabe3144f01910f1f055a2a6d9b63148 883 admin optional ldapscripts_1.4-2etch1.dsc
 4d4fd01f12940bf2272cf9b2a27e34c5 8429 admin optional ldapscripts_1.4-2etch1.diff.gz
 52a069bdb720fb9d9897f96dbc150c8a 28482 admin optional ldapscripts_1.4-2etch1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBR9w5wWz0hbPcukPfAQJnKgf8DCIRoNu2ZeW1CBLMbfJiqqwWve53IbKV
a8eWXv3h/cewz5AorqPlIJjxShu2aQ0gxo6XFRlNOw0bMdkPo1cYvIf+yH6KcHzU
/IHX+U4mGpb3mATVHYsF5PibP599ge09qJBWNC3XQwcBcQ9Jx3N2nNtnzSHNElHP
JA7b9VefiNUZIMsEkOfzCiiOV+vChYX9tSVZUyEb2/LaukA5cgSwa2ylWlD2pM7+
AmwYesLPhoZCho/KiwA8E5ZJ9/cRdC668wbvrQiXuEaT2r5xZQrPdEdpAWAbqnTj
cr4qLTek51SAugPKINuKXZ7XJcTd4hmXQOjYZGxg9KtJems1zrqcSw==
=M9Lm
-----END PGP SIGNATURE-----





Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Don Armstrong <don@donarmstrong.com>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #104 received at 445582-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 445582-close@bugs.debian.org
Subject: Bug#445582: fixed in ldapscripts 1.4-2etch1
Date: Sat, 26 Jul 2008 09:40:45 +0000
Source: ldapscripts
Source-Version: 1.4-2etch1

We believe that the bug you reported is fixed in the latest version of
ldapscripts, which is due to be installed in the Debian FTP archive:

ldapscripts_1.4-2etch1.diff.gz
  to pool/main/l/ldapscripts/ldapscripts_1.4-2etch1.diff.gz
ldapscripts_1.4-2etch1.dsc
  to pool/main/l/ldapscripts/ldapscripts_1.4-2etch1.dsc
ldapscripts_1.4-2etch1_all.deb
  to pool/main/l/ldapscripts/ldapscripts_1.4-2etch1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 445582@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated ldapscripts package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 15 Mar 2008 22:03:09 +0100
Source: ldapscripts
Binary: ldapscripts
Architecture: source all
Version: 1.4-2etch1
Distribution: stable-security
Urgency: high
Maintainer: Pierre Habouzit <madcoder@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 ldapscripts - Add and remove user and groups (stored in a ldap directory)
Closes: 445582
Changes: 
 ldapscripts (1.4-2etch1) stable-security; urgency=high
 .
   * Non-maintainer upload by the security team
   * Fix information disclosure (password used on command line) with
     upstream patch. Closes: #445582. CVE-2007-5373
Files: 
 dabe3144f01910f1f055a2a6d9b63148 883 admin optional ldapscripts_1.4-2etch1.dsc
 4d4fd01f12940bf2272cf9b2a27e34c5 8429 admin optional ldapscripts_1.4-2etch1.diff.gz
 52a069bdb720fb9d9897f96dbc150c8a 28482 admin optional ldapscripts_1.4-2etch1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBR9w5wWz0hbPcukPfAQJnKgf8DCIRoNu2ZeW1CBLMbfJiqqwWve53IbKV
a8eWXv3h/cewz5AorqPlIJjxShu2aQ0gxo6XFRlNOw0bMdkPo1cYvIf+yH6KcHzU
/IHX+U4mGpb3mATVHYsF5PibP599ge09qJBWNC3XQwcBcQ9Jx3N2nNtnzSHNElHP
JA7b9VefiNUZIMsEkOfzCiiOV+vChYX9tSVZUyEb2/LaukA5cgSwa2ylWlD2pM7+
AmwYesLPhoZCho/KiwA8E5ZJ9/cRdC668wbvrQiXuEaT2r5xZQrPdEdpAWAbqnTj
cr4qLTek51SAugPKINuKXZ7XJcTd4hmXQOjYZGxg9KtJems1zrqcSw==
=M9Lm
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Aug 2008 07:35:08 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 16:28:45 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.