Package: passwd, base-config Severity: grave Tags: security patch d-i The debian-installer team has determined that various sensative information may be leaked into world-readable log files during the Debian installation process (sarge, etch, sid [1]). This includes:
- preseeded passwords for root and other users if a preseed file is
being used for an automated install (via the debconf-seed log file in
sarge, and the cdebconf database in etch (bug #356845))
- pppoeconf passwords in the base-config log file (bug #254068)
- various other information about what software was installed on the
system, and the configuration of the system
Note that unlike the similar security issues that affected Ubuntu, root
passwords are not leaked into the log files during regular,
non-preseeded installs.
The attached patches to passwd's postinst close these holes for already
installed systems, by chmoding all affected log files to mode 600. There
are two patches, one is against passwd 1:4.0.14-7 from unstable, and one
is against passwd 1:4.0.3-31sarge5 from stable. I've also include a
patch for base-confg in stable to do the same thing[2]. In combination with
installation-report 2.13 (unstable), this will fix the issue in all
circumstances.
Note that passwd is not where this bug originated, and is only being
involved in the fix because there is no better place to put the fix.
Unfortunatly, in systems installed by the sarge installer, some of the
affected log files are not "owned" by any particular package, so the fix
has to go into an unrelated package that is installed/upgraded on every
system.
--
see shy jo
[1] oldstable may also be vulnerable to the #254068 part of this issue,
but I have not investigated it.
[2] The passwd fix is needed to fix already installed systems on
upgrade now, while the base-config fix is needed to secure systems
installed after the passwd package is accepted into the next stable
point release.
diff -ur old/shadow-4.0.14/debian/changelog shadow-4.0.14/debian/changelog
--- old/shadow-4.0.14/debian/changelog 2006-03-14 15:25:49.000000000 -0500
+++ shadow-4.0.14/debian/changelog 2006-03-14 16:13:19.000000000 -0500
@@ -1,3 +1,11 @@
+shadow (1:4.0.14-8) unstable; urgency=high
+
+ * passwd.postinst: On upgrades from any prior version, chmod 600 various
+ base-config and d-i log files that might contain sensative information,
+ including in some cases, passwords.
+
+ -- Joey Hess <[EMAIL PROTECTED]> Tue, 14 Mar 2006 16:12:11 -0500
+
shadow (1:4.0.14-7) unstable; urgency=low
* The "Carré d'Aurillac" release (let's stay in Cantal)
diff -ur old/shadow-4.0.14/debian/passwd.postinst
shadow-4.0.14/debian/passwd.postinst
--- old/shadow-4.0.14/debian/passwd.postinst 2006-03-14 15:25:49.000000000
-0500
+++ shadow-4.0.14/debian/passwd.postinst 2006-03-14 16:22:36.000000000
-0500
@@ -4,6 +4,19 @@
case "$1" in
configure)
+ # Fix permissions on various log files from old versions of the debian
+ # installer, some unrelated to passwd but we decided to put the fix
+ # here since there was no better place. This can safely be removed
+ # after etch is released.
+ if dpkg --compare-versions "$2" lt "1:4.0.14-8"; then
+ for log in /var/log/base-config* \
+ $(find /var/log/debian-installer/ /var/log/installer/ -type
f 2>/dev/null ); do
+ if [ -e "$log" ]; then
+ chmod 600 "$log"
+ fi
+ done
+ fi
+
rm -f /etc/pam.d/passwd.pre-upgrade 2>/dev/null
if ! getent group shadow | grep -q '^shadow:[^:]*:42'
then
diff -ur old/shadow-4.0.3/debian/changelog shadow-4.0.3/debian/changelog
--- old/shadow-4.0.3/debian/changelog 2006-03-14 16:23:51.000000000 -0500
+++ shadow-4.0.3/debian/changelog 2006-03-14 16:16:25.000000000 -0500
@@ -1,3 +1,11 @@
+shadow (1:4.0.3-31sarge6) stable-security; urgency=high
+
+ * passwd.postinst: On upgrades from any prior version, chmod 600 various
+ base-config and d-i log files that might contain sensative information,
+ including in some cases, passwords.
+
+ -- Joey Hess <[EMAIL PROTECTED]> Tue, 14 Mar 2006 16:14:26 -0500
+
shadow (1:4.0.3-31sarge5) testing-proposed-updates; urgency=high
* Re-apply the debian/patches/036_CAN-2004-1001_passwd_check patch
diff -ur old/shadow-4.0.3/debian/passwd.postinst
shadow-4.0.3/debian/passwd.postinst
--- old/shadow-4.0.3/debian/passwd.postinst 2006-03-14 16:23:51.000000000
-0500
+++ shadow-4.0.3/debian/passwd.postinst 2006-03-14 16:17:28.000000000 -0500
@@ -10,6 +10,19 @@
if test "$1" = configure
then
+ # Fix permissions on various log files from old versions of the debian
+ # installer, some unrelated to passwd but we decided to put the fix
+ # here since there was no better place. This can safely be removed
+ # after etch is released.
+ if dpkg --compare-versions "$2" lt "1:4.0.3-31sarge6"; then
+ for log in /var/log/base-config* \
+ $(find /var/log/debian-installer/ /var/log/installer/ -type
f 2>/dev/null ); do
+ if [ -e "$log" ]; then
+ chmod 600 "$log"
+ fi
+ done
+ fi
+
rm -f /etc/pam.d/passwd.pre-upgrade 2>/dev/null
if ! getent group shadow | grep -q '^shadow:[^:]*:42'
then
diff -ur old/base-config-2.53.10/base-config base-config-2.53.10.1/base-config
--- old/base-config-2.53.10/base-config 2005-05-13 17:00:26.000000000 -0400
+++ base-config-2.53.10.1/base-config 2006-03-14 16:02:24.000000000 -0500
@@ -28,6 +28,14 @@
SHELL=/bin/sh
export SHELL
+# Fix permissions of log files to avoid data leakage.
+for log in /var/log/base-config* \
+ $(find /var/log/debian-installer/ /var/log/installer/ -type f
2>/dev/null ); do
+ if [ -e "$log" ]; then
+ chmod 600 "$log"
+ fi
+done
+
gettext "Configuring the base system..."
echo
diff -ur old/base-config-2.53.10/debian/changelog
base-config-2.53.10.1/debian/changelog
--- old/base-config-2.53.10/debian/changelog 2005-05-15 14:56:15.000000000
-0400
+++ base-config-2.53.10.1/debian/changelog 2006-03-14 16:26:02.000000000
-0500
@@ -1,3 +1,11 @@
+base-config (2.53.10.1) stable-security; urgency=high
+
+ * Add permission fixing code to base-config to deal with data leakage in
+ d-i and base-config log files. chmod all possibly affected log files 600.
+ * Disable Mirrors.masterlist downloading for stable build.
+
+ -- Joey Hess <[EMAIL PROTECTED]> Tue, 14 Mar 2006 16:02:28 -0500
+
base-config (2.53.10) testing; urgency=low
* Christian Perrier
diff -ur old/base-config-2.53.10/debian/rules base-config-2.53.10.1/debian/rules
--- old/base-config-2.53.10/debian/rules 2005-05-13 17:00:22.000000000
-0400
+++ base-config-2.53.10.1/debian/rules 2006-03-14 16:26:25.000000000 -0500
@@ -2,6 +2,7 @@
CVSGET=cvs -d":pserver:[EMAIL PROTECTED]:/cvs/webwml" \
co -p webwml/english/mirror/Mirrors.masterlist
+ONLINE=n
build:
# Freshen Mirrors.masterlist file, but allow failure.
signature.asc
Description: Digital signature
