C. Dominik Bodi
2009-Oct-21 17:12 UTC
[Secure-testing-team] Bug#551907: mandos-client adds unnecessary files to initrd
Package: mandos-client Version: 1.0.12-1 Severity: critical Tags: security Justification: root security hole The update-initramfs hook script for mandos client adds several files into the initrd that are not necessary for its operation. One of the files being added causes a severe security risk for other mandos client in case the client acts as a mandos server, as well. The superfluous files can be found in initrd_root/etc/conf/conf.d/mandos/ First of all, backup files created by various text editors, for instance emacsen''s "filename~" (notice the tilde) files, are added to the initrd. More importantly, if the mandos server package is installed on the same computer, the /etc/mandos/mandos.conf and /etc/mandos/clients.conf will be added to the initrd, as well. The latter contains the fingerprints of other mandos clients. If the initrd file was compromised, it would be very easy to to set up a rogue mandos server in order to snoop the other client''s disk encryption passwords. Regards, Dominik Bodi -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, ''unstable'') Architecture: amd64 (x86_64) Kernel: Linux 2.6.31.4-via-1 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages mandos-client depends on: ii adduser 3.111 add and remove users and groups ii cryptsetup 2:1.1.0~rc2-1 configures encrypted block devices ii libavahi-common3 0.6.25-1 Avahi common library ii libavahi-core6 0.6.25-1 Avahi''s embeddable mDNS/DNS-SD lib ii libc6 2.10.1-1 GNU C Library: Shared libraries ii libgnutls26 2.8.4-1 the GNU TLS library - runtime libr ii libgpg-error0 1.6-1 library for common error values an ii libgpgme11 1.2.0-1 GPGME - GnuPG Made Easy mandos-client recommends no packages. mandos-client suggests no packages. -- no debconf information