Your message dated Sat, 12 Apr 2008 17:54:36 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#439392: fixed in backup-manager 0.5.7-1sarge2
has caused the Debian Bug report #439392,
regarding backup-manager: password disclosure in backup uploads
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
439392: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=439392
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: backup-manager
Version: 0.7.5-3
Severity: critical
Tags: security
Justification: root security hole
Hi,
I just discovered that backup-manager disclosures the FTP password
during a running FTP upload in the process list.
A user which has shell access on the computer simply needs to run the command
ps wax | grep backup-manager
to get the FTP username, hostname and password. The output is something
like (I replaced here the sensitive data by FTPHOST, FTPUSER and FTPPASS):
3796 pts/1 SN+ 0:00 /bin/bash /usr/sbin/backup-manager -v
12647 pts/1 RN+ 0:47 /usr/bin/perl /usr/bin/backup-manager-upload -v
--ftp-purge -m=ftp -h=FTPHOST -u=FTPUSER -p=FTPPASS ...
With these data the attacking user is able to login into the same FTP
space where the archives created by backup-manager are uploaded to. So
the attacking user is also able to simply download these archive and
extract them as a normal user -- with full access on all included files,
even on those originally accessible by root only. :-(
Have a nice day
Micha
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-k7
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages backup-manager depends on:
ii debconf [debconf-2.0] 1.5.11 Debian configuration management sy
ii findutils 4.2.28-1 utilities for finding files--find,
ii gzip 1.3.5-15 The GNU compression utility
ii ucf 2.0020 Update Configuration File: preserv
backup-manager recommends no packages.
-- debconf information excluded
--- End Message ---
--- Begin Message ---
Source: backup-manager
Source-Version: 0.5.7-1sarge2
We believe that the bug you reported is fixed in the latest version of
backup-manager, which is due to be installed in the Debian FTP archive:
backup-manager_0.5.7-1sarge2.diff.gz
to pool/main/b/backup-manager/backup-manager_0.5.7-1sarge2.diff.gz
backup-manager_0.5.7-1sarge2.dsc
to pool/main/b/backup-manager/backup-manager_0.5.7-1sarge2.dsc
backup-manager_0.5.7-1sarge2_all.deb
to pool/main/b/backup-manager/backup-manager_0.5.7-1sarge2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <[EMAIL PROTECTED]> (supplier of updated backup-manager package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 15 Mar 2008 22:30:05 +0100
Source: backup-manager
Binary: backup-manager
Architecture: source all
Version: 0.5.7-1sarge2
Distribution: oldstable-security
Urgency: high
Maintainer: Alexis Sukrieh <[EMAIL PROTECTED]>
Changed-By: Thijs Kinkhorst <[EMAIL PROTECTED]>
Description:
backup-manager - command-line backup tool for GNU Linux
Closes: 439392
Changes:
backup-manager (0.5.7-1sarge2) oldstable-security; urgency=high
.
* Non-maintainer upload by the security team.
* Fix FTP password disclosure during FTP uploads, based on
maintainer-supplied patch. Closes: #439392. CVE-2007-4656
Files:
fad99430055e40413827e477768dd077 923 admin optional
backup-manager_0.5.7-1sarge2.dsc
4c33c9b8711ca3da4eb7f8f77214c26a 18510 admin optional
backup-manager_0.5.7-1sarge2.diff.gz
05b3fbc927d4ca0e7823a5dca7a1b9b0 30740 admin optional
backup-manager_0.5.7-1sarge2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBR9xCpmz0hbPcukPfAQI+Vwf7BaXpmmdC9lC7ILEXpnl23eYu0M7S5s7P
gXZVLdrxivBoegS4GLPI8H3IwCCGEr/QIFqZj2Bh3U9cbvii2jvAtsv7n0b1T6E/
CnRQPPNsIcCwFofmDnPeyHoK+6C8fE53H8mS4OuHFVkecSuIh40MHZ3w0n85Unuj
126nGQf1BFuFI4j2deq/6b9VcsYiqDyBqR1XT2MyThW0q1r6nW0UPG1PgaQsC2lN
5SH2fnsd2hJmArrJ/uh07ZqV1vRQgvrtk03+OFDJkJ0kHHwXaayE49R2F9dRWe29
suzkyUQYeKKGGiUGzqGuNMU6dr6RNagWKBsih2NALsLHx5Bp+UfaRQ==
=+krm
-----END PGP SIGNATURE-----
--- End Message ---
