Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 159502 - CAN-2005-1760 sysreport includes proxy password in cleartext
Summary: CAN-2005-1760 sysreport includes proxy password in cleartext
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: sysreport
Version: 3.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Ngo Than
QA Contact: Ben Levenson
URL:
Whiteboard: impact=moderate,reported=20050601,sou...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-06-03 07:44 UTC by Issue Tracker
Modified: 2007-11-30 22:07 UTC (History)
2 users (show)

Fixed In Version: RHSA-2005-502
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-06-13 12:22:17 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2005:502 normal SHIPPED_LIVE Moderate: sysreport security update 2005-06-13 04:00:00 UTC

Description Issue Tracker 2005-06-03 07:44:25 UTC
Escalated to Bugzilla from IssueTracker

Comment 11 Mark J. Cox 2005-06-06 10:34:18 UTC
This has a security conseqence as it breaks a security promise (sysreport says
that it's goals are not to "the invasion of the user's privacy; and the
collection of information that could be detrimental to the integrity of the system."

I don't see this is a Sev1 however, it's security severity "moderate" at the most.

Comment 15 Ngo Than 2005-06-06 18:13:38 UTC
i have taken a look at up2date file, there are 2 lines in this file.

..
proxyPassword[comment]=The password to use for an authenticated proxy
proxyPassword=
..

with following lines it should fix this problem.

cat up2date | grep -vi 'password' > up2date.newfile
mv up2date.newfile up2date


Comment 16 Neil Horman 2005-06-06 18:18:11 UTC
You should be able to get most of the relevant data out of my patch above I
think (which Florian posted).  In /etc/sysconfig/rhn/up2date there should be a
line that matches the regex:
\(.*password=\)\(.*\)
The second part of that regex ( the \(.*\) should be the string representing the
password.

The patch above adds a fixup function to sysreport to allow you to easily strip
out unwanted data from sensitive files like this


Comment 17 Ngo Than 2005-06-07 08:03:01 UTC
Neil, i have fixed the match string in your patch, so it works fine now.
i have already committed the changes in CVS.

Should i do security errata for this, or just add into next RHEL-update?

Comment 18 Mark J. Cox 2005-06-07 08:18:31 UTC
Since this affects all RHEL I'd prefer a single async errata for this.

Comment 19 Mark J. Cox 2005-06-07 08:21:14 UTC
Since this flaw breaks a security promise it deserves a CVE name, therefore I've
assigned CAN-2005-1760 to this issue.

Comment 28 Josh Bressers 2005-06-13 11:40:16 UTC
When run by the root user, sysreport includes the contents of the
/etc/sysconfig/rhn/up2date configuration file. If up2date has been
configured to connect to a proxy server that requires an authentication
password, that password is included in plain text in the system report.
The Common Vulnerabilities and Exposures project assigned the name
CAN-2005-1760 to this issue.

Comment 29 Josh Bressers 2005-06-13 12:22:17 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-502.html



Note You need to log in before you can comment on or make changes to this bug.