Bug 159502 - CAN-2005-1760 sysreport includes proxy password in cleartext
CAN-2005-1760 sysreport includes proxy password in cleartext
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: sysreport (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Ngo Than
Ben Levenson
: Security
Depends On:
  Show dependency treegraph
Reported: 2005-06-03 03:44 EDT by Issue Tracker
Modified: 2007-11-30 17:07 EST (History)
2 users (show)

See Also:
Fixed In Version: RHSA-2005-502
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-06-13 08:22:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Issue Tracker 2005-06-03 03:44:25 EDT
Escalated to Bugzilla from IssueTracker
Comment 11 Mark J. Cox (Product Security) 2005-06-06 06:34:18 EDT
This has a security conseqence as it breaks a security promise (sysreport says
that it's goals are not to "the invasion of the user's privacy; and the
collection of information that could be detrimental to the integrity of the system."

I don't see this is a Sev1 however, it's security severity "moderate" at the most.
Comment 15 Ngo Than 2005-06-06 14:13:38 EDT
i have taken a look at up2date file, there are 2 lines in this file.

proxyPassword[comment]=The password to use for an authenticated proxy

with following lines it should fix this problem.

cat up2date | grep -vi 'password' > up2date.newfile
mv up2date.newfile up2date
Comment 16 Neil Horman 2005-06-06 14:18:11 EDT
You should be able to get most of the relevant data out of my patch above I
think (which Florian posted).  In /etc/sysconfig/rhn/up2date there should be a
line that matches the regex:
The second part of that regex ( the \(.*\) should be the string representing the

The patch above adds a fixup function to sysreport to allow you to easily strip
out unwanted data from sensitive files like this
Comment 17 Ngo Than 2005-06-07 04:03:01 EDT
Neil, i have fixed the match string in your patch, so it works fine now.
i have already committed the changes in CVS.

Should i do security errata for this, or just add into next RHEL-update?
Comment 18 Mark J. Cox (Product Security) 2005-06-07 04:18:31 EDT
Since this affects all RHEL I'd prefer a single async errata for this.
Comment 19 Mark J. Cox (Product Security) 2005-06-07 04:21:14 EDT
Since this flaw breaks a security promise it deserves a CVE name, therefore I've
assigned CAN-2005-1760 to this issue.
Comment 28 Josh Bressers 2005-06-13 07:40:16 EDT
When run by the root user, sysreport includes the contents of the
/etc/sysconfig/rhn/up2date configuration file. If up2date has been
configured to connect to a proxy server that requires an authentication
password, that password is included in plain text in the system report.
The Common Vulnerabilities and Exposures project assigned the name
CAN-2005-1760 to this issue.
Comment 29 Josh Bressers 2005-06-13 08:22:17 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.