That's got to be my one super-power -- asking a question and finding out
that no, I didn't find a bug, but by asking the question someone *else*
spots a bug.
How about this?
# Derive a sigv4 signing key for the given secret
# get_sigv4_key [key] [datestamp] [region name] [service name]
getsigv4key () {
base="$(/bin/echo -n "AWS4${1}" | /usr/bin/od -A n -t x1 | /bin/sed
':a;N;$!ba;s/[\n ]//g')"
kdate="$(sign "${base}" "${2}")"
kregion="$(sign "${kdate}" "${3}")"
kservice="$(sign "${kregion}" "${4}")"
sign "${kservice}" "aws4_request"
}
This appears to execute /bin/echo with a key as a parameter, where it may be
visible to ps(1) output or /proc/*/cmdline.
What's the consequences of exposing this key to all users on the
computer?
Thanks
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1835114
Title:
[MIR] ec2-instance-connect
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ec2-instance-connect/+bug/1835114/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
