thr3ads.net - Secure testing team - [Secure-testing-team] Bug#511893: ucf stores diff (of private files) in debconf (world readable) [Jan 2009]

If this information is useful, please help other people find it:
Share via:

Alexander Gerasiov

2009-Jan-15 13:30 UTC

[Secure-testing-team] Bug#511893: ucf stores diff (of private files) in debconf (world readable)

Package: ucf
Version: 3.0011
Severity: grave
Tags: security

How to reproduce:
root at vice:/tmp/ucftest# cat test1 
password="secret";
user="root";
start="no";
foor="bar";
root at vice:/tmp/ucftest# 

Lets install it:
root at vice:/tmp/ucftest# ucf test1 /tmp/ucftest/installed

Creating config file /tmp/ucftest/installed with new version
root at vice:/tmp/ucftest# 

Now we will change password from "secret" to "verysecret" :)

And will intall upgraded package :)

root at vice:/tmp/ucftest# cat test2 
password="secret";
user="root";
start="no";
foor="bar";
bar="foo";
root at vice:/tmp/ucftest# ucf test2 /tmp/ucftest/installed
Replacing config file /tmp/ucftest/installed with new version

When ucf asks for comfirm I look at diff.

And now lets search trought debconf database /var/cache/debconf/config.dat:
OMG!

====Name: ucf/show_diff
Template: ucf/show_diff
Value: 
Owners: ucf
Flags: seen
Variables:
 DIFF = --- /tmp/ucftest/installed 2009-01-15 16:19:18.122649009 +0300\n+++
/tmp/ucftest/test2 2009-01-15 16:19:08.263149119 +0300\n@@ -1,4 +1,5
@@\n-password="verysecret";\n+password="secret";\n
user="root";\n start="no";\n
foor="bar";\n+bar="foo";
====
/var/cache/debconf/config.dat is world readable.


-- System Information:
Debian Release: 5.0
  APT prefers testing-proposed-updates
  APT policy: (700, ''testing-proposed-updates''), (700,
''testing''), (670, ''proposed-updates''), (670,
''stable''), (600, ''unstable''), (550,
''experimental'')
Architecture: i386 (x86_64)

Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages ucf depends on:
ii  coreutils                     6.10-6     The GNU core utilities
ii  debconf                       1.5.24     Debian configuration management sy

ucf recommends no packages.

ucf suggests no packages.

-- debconf information:
* ucf/show_diff:
* ucf/changeprompt_threeway: install_new
  ucf/title:
* ucf/changeprompt: install_new

Secure testing team - Jan 2009 - Bug#511893: ucf stores diff (of private files) in debconf (world readable)

[Secure-testing-team] Bug#511893: ucf stores diff (of private files) in debconf (world readable)