Red Hat Bugzilla – Bug 159502
CAN-2005-1760 sysreport includes proxy password in cleartext
Last modified: 2007-11-30 17:07:07 EST
Escalated to Bugzilla from IssueTracker
This has a security conseqence as it breaks a security promise (sysreport says
that it's goals are not to "the invasion of the user's privacy; and the
collection of information that could be detrimental to the integrity of the system."
I don't see this is a Sev1 however, it's security severity "moderate" at the most.
i have taken a look at up2date file, there are 2 lines in this file.
proxyPassword[comment]=The password to use for an authenticated proxy
with following lines it should fix this problem.
cat up2date | grep -vi 'password' > up2date.newfile
mv up2date.newfile up2date
You should be able to get most of the relevant data out of my patch above I
think (which Florian posted). In /etc/sysconfig/rhn/up2date there should be a
line that matches the regex:
The second part of that regex ( the \(.*\) should be the string representing the
The patch above adds a fixup function to sysreport to allow you to easily strip
out unwanted data from sensitive files like this
Neil, i have fixed the match string in your patch, so it works fine now.
i have already committed the changes in CVS.
Should i do security errata for this, or just add into next RHEL-update?
Since this affects all RHEL I'd prefer a single async errata for this.
Since this flaw breaks a security promise it deserves a CVE name, therefore I've
assigned CAN-2005-1760 to this issue.
When run by the root user, sysreport includes the contents of the
/etc/sysconfig/rhn/up2date configuration file. If up2date has been
configured to connect to a proxy server that requires an authentication
password, that password is included in plain text in the system report.
The Common Vulnerabilities and Exposures project assigned the name
CAN-2005-1760 to this issue.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.