Debian Bug report logs - #473131
dbconfig-common: database backups are world-readable

version graph

Package: dbconfig-common; Maintainer for dbconfig-common is Sean Finney <seanius@debian.org>; Source for dbconfig-common is src:dbconfig-common.

Reported by: Niko Tyni <ntyni@debian.org>

Date: Fri, 28 Mar 2008 14:33:04 UTC

Severity: serious

Tags: etch, patch, pending, security

Found in versions dbconfig-common/1.8.37, dbconfig-common/1.8.29+etch1

Fixed in versions dbconfig-common/1.8.37+nmu1, 1.8.37-0.1

Done: Stephen Gran <sgran@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, sean finney <seanius@debian.org>:
Bug#473131; Package dbconfig-common. Full text and rfc822 format available.

Acknowledgement sent to Niko Tyni <ntyni@debian.org>:
New Bug report received and forwarded. Copy sent to sean finney <seanius@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni@debian.org>
To: submit@bugs.debian.org
Subject: dbconfig-common: database backups are world-readable
Date: Fri, 28 Mar 2008 16:30:04 +0200
Package: dbconfig-common
Version: 1.8.37
Severity: serious
Tags: security

When dbconfig-common detects that a database upgrade is needed, it dumps
a backup in /var/cache/dbconfig-common/backups. Unfortunately this backup
is world-readable, which bypasses all application-specific access
control mechanisms.

-rw-r--r-- 1 root root 44032 2008-03-27 20:47 /var/cache/dbconfig-common/backups/request-tracker3.6_3.6.6-1.mysql

The Etch version of the package has the same bug, but as we discussed
in private, it's currently unclear if any Etch packages are actually
using the upgrade functionality.

Note that PostgreSQL databases are unaffected by this because of #473013
(which also applies to the Etch version).

Cheers,
-- 
Niko Tyni   ntyni@debian.org




Bug marked as found in version 1.8.29+etch1. Request was from Niko Tyni <ntyni@debian.org> to control@bugs.debian.org. (Fri, 28 Mar 2008 15:03:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, sean finney <seanius@debian.org>:
Bug#473131; Package dbconfig-common. Full text and rfc822 format available.

Acknowledgement sent to Niko Tyni <ntyni@debian.org>:
Extra info received and forwarded to list. Copy sent to sean finney <seanius@debian.org>. Full text and rfc822 format available.

Message #12 received at 473131@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni@debian.org>
To: 473131@bugs.debian.org
Subject: Re: dbconfig-common: database backups are world-readable
Date: Sat, 29 Mar 2008 12:33:57 +0200
On Fri, Mar 28, 2008 at 04:30:04PM +0200, Niko Tyni wrote:
 
> The Etch version of the package has the same bug, but as we discussed
> in private, it's currently unclear if any Etch packages are actually
> using the upgrade functionality.

This is actually trivial to find out:

 etch% apt-file search -l -x '^usr/share/dbconfig-common/.*/upgrade'                    
 bacula-director-mysql
 bacula-director-pgsql
 jffnms
 phpwiki
 postfix-policyd

Cheers,
-- 
Niko Tyni   ntyni@debian.org




Information forwarded to debian-bugs-dist@lists.debian.org, sean finney <seanius@debian.org>:
Bug#473131; Package dbconfig-common. Full text and rfc822 format available.

Acknowledgement sent to Stephen Gran <sgran@debian.org>:
Extra info received and forwarded to list. Copy sent to sean finney <seanius@debian.org>. Full text and rfc822 format available.

Message #17 received at 473131@bugs.debian.org (full text, mbox):

From: Stephen Gran <sgran@debian.org>
To: 473131@bugs.debian.org
Subject: dbconfig-common: diff for NMU version 1.8.37-0.1
Date: Sat, 5 Apr 2008 00:58:40 +0100
[Message part 1 (text/plain, inline)]
tags 473131 + patch
thanks

Hey Sean,

Tentative fix for this attached.  I'll wait a day or so to hear from you
before I upload.
-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------
[dbconfig-common-1.8.37-0.1-nmu.diff (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, sean finney <seanius@debian.org>:
Bug#473131; Package dbconfig-common. Full text and rfc822 format available.

Acknowledgement sent to Stephen Gran <sgran@debian.org>:
Extra info received and forwarded to list. Copy sent to sean finney <seanius@debian.org>. Full text and rfc822 format available.

Message #22 received at 473131@bugs.debian.org (full text, mbox):

From: Stephen Gran <sgran@debian.org>
To: 473131@bugs.debian.org
Subject: dbconfig-common: diff for NMU version 1.8.37-0.1
Date: Sat, 5 Apr 2008 01:02:55 +0100
[Message part 1 (text/plain, inline)]
Um,

that last umask was crack.  This is actually correct.
-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------
[dbconfig-common-1.8.37-0.1-nmu.diff (text/x-diff, attachment)]

Tags added: patch Request was from Stephen Gran <sgran@debian.org> to control@bugs.debian.org. (Sat, 05 Apr 2008 00:45:05 GMT) Full text and rfc822 format available.

Reply sent to Stephen Gran <sgran@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Niko Tyni <ntyni@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #29 received at 473131-close@bugs.debian.org (full text, mbox):

From: Stephen Gran <sgran@debian.org>
To: 473131-close@bugs.debian.org
Subject: Bug#473131: fixed in dbconfig-common 1.8.37+nmu1
Date: Sat, 05 Apr 2008 10:02:32 +0000
Source: dbconfig-common
Source-Version: 1.8.37+nmu1

We believe that the bug you reported is fixed in the latest version of
dbconfig-common, which is due to be installed in the Debian FTP archive:

dbconfig-common_1.8.37+nmu1.dsc
  to pool/main/d/dbconfig-common/dbconfig-common_1.8.37+nmu1.dsc
dbconfig-common_1.8.37+nmu1.tar.gz
  to pool/main/d/dbconfig-common/dbconfig-common_1.8.37+nmu1.tar.gz
dbconfig-common_1.8.37+nmu1_all.deb
  to pool/main/d/dbconfig-common/dbconfig-common_1.8.37+nmu1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 473131@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stephen Gran <sgran@debian.org> (supplier of updated dbconfig-common package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 05 Apr 2008 10:54:47 +0100
Source: dbconfig-common
Binary: dbconfig-common
Architecture: source all
Version: 1.8.37+nmu1
Distribution: unstable
Urgency: low
Maintainer: sean finney <seanius@debian.org>
Changed-By: Stephen Gran <sgran@debian.org>
Description: 
 dbconfig-common - common framework for packaging database applications
Closes: 473131
Changes: 
 dbconfig-common (1.8.37+nmu1) unstable; urgency=low
 .
   * Non-maintainer upload.
   * Make database dumps non world readable (closes: #473131)
Files: 
 c2032fa73fd546bcb9354e273f460b29 673 admin optional dbconfig-common_1.8.37+nmu1.dsc
 a30e853fdce319edca26c5b8ad2cee3f 317878 admin optional dbconfig-common_1.8.37+nmu1.tar.gz
 f02cb47932596fd5c20f6525f20c0fbc 475502 admin optional dbconfig-common_1.8.37+nmu1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH90zfSYIMHOpZA44RAmmGAKCYV91E1RYk2bWuvOTGyTOVV+iGlgCgpDLJ
BV7bWw98uDA+4sQtnBho1Y0=
=8Qz4
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, sean finney <seanius@debian.org>:
Bug#473131; Package dbconfig-common. Full text and rfc822 format available.

Acknowledgement sent to Niko Tyni <ntyni@debian.org>:
Extra info received and forwarded to list. Copy sent to sean finney <seanius@debian.org>. Full text and rfc822 format available.

Message #34 received at 473131@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni@debian.org>
To: 473131@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#473131: dbconfig-common: database backups are world-readable
Date: Tue, 8 Apr 2008 21:05:21 +0300
tag 473131 etch
thanks

On Fri, Mar 28, 2008 at 04:30:04PM +0200, Niko Tyni wrote:
> Package: dbconfig-common
> Version: 1.8.37
> Severity: serious
> Tags: security
> 
> When dbconfig-common detects that a database upgrade is needed, it dumps
> a backup in /var/cache/dbconfig-common/backups. Unfortunately this backup
> is world-readable, which bypasses all application-specific access
> control mechanisms.
> 
> -rw-r--r-- 1 root root 44032 2008-03-27 20:47 /var/cache/dbconfig-common/backups/request-tracker3.6_3.6.6-1.mysql
> 
> The Etch version of the package has the same bug, but as we discussed
> in private, it's currently unclear if any Etch packages are actually
> using the upgrade functionality.
> 
> Note that PostgreSQL databases are unaffected by this because of #473013
> (which also applies to the Etch version).

This is now fixed in sid with 1.8.37+nmu1, but I think it also needs
a security update for Etch.  Otherwise upgrades (especially partial
ones) from Etch to Lenny will hit the bug, as there is no guarantee
that dbconfig-common gets upgraded before the application unless its
dependency is versioned.

The command 

% apt-file search -l -x '^usr/share/dbconfig-common/.*/upgrade'

shows 16 packages using the upgrade functionality in current unstable.

Cc'ing the security team.

Cheers,
-- 
Niko Tyni   ntyni@debian.org




Tags added: etch Request was from Niko Tyni <ntyni@debian.org> to control@bugs.debian.org. (Tue, 08 Apr 2008 18:06:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, sean finney <seanius@debian.org>:
Bug#473131; Package dbconfig-common. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to sean finney <seanius@debian.org>. Full text and rfc822 format available.

Message #41 received at 473131@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Niko Tyni <ntyni@debian.org>
Cc: 473131@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#473131: dbconfig-common: database backups are world-readable
Date: Tue, 08 Apr 2008 22:07:37 +0200
* Niko Tyni:

> This is now fixed in sid with 1.8.37+nmu1, but I think it also needs
> a security update for Etch.  Otherwise upgrades (especially partial
> ones) from Etch to Lenny will hit the bug, as there is no guarantee
> that dbconfig-common gets upgraded before the application unless its
> dependency is versioned.
>
> The command 
>
> % apt-file search -l -x '^usr/share/dbconfig-common/.*/upgrade'
>
> shows 16 packages using the upgrade functionality in current unstable.

If the no packages in etch use this functionality, please upload a fix
package to stable-proposed-updates.  This way, the fix will be included
in time.

Security team, could we still get a CVE for this issue, please?  It's
Debian-specific, I believe.




Information forwarded to debian-bugs-dist@lists.debian.org, sean finney <seanius@debian.org>:
Bug#473131; Package dbconfig-common. Full text and rfc822 format available.

Acknowledgement sent to Niko Tyni <ntyni@debian.org>:
Extra info received and forwarded to list. Copy sent to sean finney <seanius@debian.org>. Full text and rfc822 format available.

Message #46 received at 473131@bugs.debian.org (full text, mbox):

From: Niko Tyni <ntyni@debian.org>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: 473131@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#473131: dbconfig-common: database backups are world-readable
Date: Wed, 9 Apr 2008 00:53:26 +0300
On Tue, Apr 08, 2008 at 10:07:37PM +0200, Florian Weimer wrote:
> * Niko Tyni:
> 
> > This is now fixed in sid with 1.8.37+nmu1, but I think it also needs
> > a security update for Etch.  Otherwise upgrades (especially partial
> > ones) from Etch to Lenny will hit the bug, as there is no guarantee
> > that dbconfig-common gets upgraded before the application unless its
> > dependency is versioned.
> >
> > The command 
> >
> > % apt-file search -l -x '^usr/share/dbconfig-common/.*/upgrade'
> >
> > shows 16 packages using the upgrade functionality in current unstable.
> 
> If the no packages in etch use this functionality, please upload a fix
> package to stable-proposed-updates.  This way, the fix will be included
> in time.

Sorry, as I noted earlier in this bug, the Etch packages that have
upgrade files installed are

  bacula-director-mysql
  bacula-director-pgsql
  jffnms
  phpwiki
  postfix-policyd

I haven't looked into the circumstances where the upgrades are activated.
 
> Security team, could we still get a CVE for this issue, please?  It's
> Debian-specific, I believe.

Cheers,
-- 
Niko Tyni   ntyni@debian.org




Information forwarded to debian-bugs-dist@lists.debian.org, sean finney <seanius@debian.org>:
Bug#473131; Package dbconfig-common. Full text and rfc822 format available.

Acknowledgement sent to "Matt Brown" <matt@mattb.net.nz>:
Extra info received and forwarded to list. Copy sent to sean finney <seanius@debian.org>. Full text and rfc822 format available.

Message #51 received at 473131@bugs.debian.org (full text, mbox):

From: "Matt Brown" <matt@mattb.net.nz>
To: "Niko Tyni" <ntyni@debian.org>, 473131@bugs.debian.org
Cc: "Florian Weimer" <fw@deneb.enyo.de>, team@security.debian.org
Subject: Re: Bug#473131: dbconfig-common: database backups are world-readable
Date: Wed, 9 Apr 2008 00:11:26 +0100
On Tue, Apr 8, 2008 at 10:53 PM, Niko Tyni <ntyni@debian.org> wrote:
>   phpwiki

phpwiki is not affected by this as the package installs the database
with permissions 664 root:www-data

There is nothing sensitive in the database, just wiki pages that are
available via the http server. The admin password is kept in the
config.ini file in /etc.

-- 
Matt Brown
matt@mattb.net.nz
Mob +353 86 608 7117 www.mattb.net.nz




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#473131; Package dbconfig-common. Full text and rfc822 format available.

Acknowledgement sent to sean finney <seanius@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #56 received at 473131@bugs.debian.org (full text, mbox):

From: sean finney <seanius@debian.org>
To: "Matt Brown" <matt@mattb.net.nz>, 473131@bugs.debian.org
Cc: "Niko Tyni" <ntyni@debian.org>, "Florian Weimer" <fw@deneb.enyo.de>, team@security.debian.org
Subject: Re: Bug#473131: dbconfig-common: database backups are world-readable
Date: Wed, 9 Apr 2008 01:42:02 +0200
[Message part 1 (text/plain, inline)]
hiya,

On Wednesday 09 April 2008 01:11:26 am Matt Brown wrote:
> On Tue, Apr 8, 2008 at 10:53 PM, Niko Tyni <ntyni@debian.org> wrote:
> >   phpwiki
>
> phpwiki is not affected by this as the package installs the database
> with permissions 664 root:www-data

however, i suspect that the data used by bacula's packages is sufficiently 
sensitive to warrant action.  we could do any of the following:

- issue a security upload with the diff from the NMU
- issue an update via etch-proposed-updates
- ensure the affected packages in unstable depend on dbc >= this nmu and
  that they migrate successfully to lenny

and it seems of these the security upload is both the simplest solution as 
well as most sensible one.

i don't know that a CVE is really necessary though, since this is a very minor 
issue that does not currently affect anyone (if you don't count partial 
upgrades to stuff from backports), and only has the *potential* to do so if 
it's not resolved before lenny is released.  then again, i've seen CVE's 
assigned for even less worthy things that ended up as non-issues (i.e. half 
of the php-related CVE's in the past year), so i'll defer to the security 
folks on that.



	sean
[signature.asc (application/pgp-signature, inline)]

Tags added: pending Request was from Sean Finney <seanius@alioth.debian.org> to control@bugs.debian.org. (Thu, 10 Apr 2008 17:30:16 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, sean finney <seanius@debian.org>:
Bug#473131; Package dbconfig-common. Full text and rfc822 format available.

Acknowledgement sent to sean finney <seanius@seanius.net>:
Extra info received and forwarded to list. Copy sent to sean finney <seanius@debian.org>. Full text and rfc822 format available.

Message #63 received at 473131@bugs.debian.org (full text, mbox):

From: sean finney <seanius@seanius.net>
To: Stephen Gran <sgran@debian.org>, 473131@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#473131: dbconfig-common: diff for NMU version 1.8.37-0.1
Date: Thu, 10 Apr 2008 20:12:20 +0200
[Message part 1 (text/plain, inline)]
hey guys,

On Saturday 05 April 2008 02:02:55 am Stephen Gran wrote:
> Um,
>
> that last umask was crack.  This is actually correct.

just fyi, there's a problem in the patch for teh sqlite version.  if the dump 
command fails the new umask call masks $? and the error is ignored.  also, 
ther'es a new codepath where umask might be set but not restored.  i've 
imported the changes into a pending upload for unstable (so no need for 
another upload there), but if you're working on something for stable you 
might want to look at that.  also, but less important, the new "old_umask" 
variables aren't scoped with a "local" declaration (this is also fixed in 
svn).


thanks
	sean
[signature.asc (application/pgp-signature, inline)]

Bug no longer marked as found in version 1.8.38. Request was from Sean Finney <seanius@debian.org> to control@bugs.debian.org. (Tue, 15 Jul 2008 20:54:06 GMT) Full text and rfc822 format available.

Bug marked as fixed in version 1.8.37-0.1. Request was from Sean Finney <seanius@debian.org> to control@bugs.debian.org. (Tue, 15 Jul 2008 21:06:08 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 16 Mar 2009 08:29:08 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 05:48:06 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.