Bug 159502 - CAN-2005-1760 sysreport includes proxy password in cleartext
Summary: CAN-2005-1760 sysreport includes proxy password in cleartext
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: sysreport
Version: 3.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Than Ngo
QA Contact: Ben Levenson
URL:
Whiteboard: impact=moderate,reported=20050601,sou...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-06-03 07:44 UTC by Issue Tracker
Modified: 2007-11-30 22:07 UTC (History)
2 users (show)

Fixed In Version: RHSA-2005-502
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-06-13 12:22:17 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2005:502 0 normal SHIPPED_LIVE Moderate: sysreport security update 2005-06-13 04:00:00 UTC

Description Issue Tracker 2005-06-03 07:44:25 UTC 
Escalated to Bugzilla from IssueTracker
Comment 11 Mark J. Cox 2005-06-06 10:34:18 UTC 
This has a security conseqence as it breaks a security promise (sysreport says
that it's goals are not to "the invasion of the user's privacy; and the
collection of information that could be detrimental to the integrity of the system."

I don't see this is a Sev1 however, it's security severity "moderate" at the most.
Comment 15 Than Ngo 2005-06-06 18:13:38 UTC 
i have taken a look at up2date file, there are 2 lines in this file.

..
proxyPassword[comment]=The password to use for an authenticated proxy
proxyPassword=
..

with following lines it should fix this problem.

cat up2date | grep -vi 'password' > up2date.newfile
mv up2date.newfile up2date
Comment 16 Neil Horman 2005-06-06 18:18:11 UTC 
You should be able to get most of the relevant data out of my patch above I
think (which Florian posted).  In /etc/sysconfig/rhn/up2date there should be a
line that matches the regex:
\(.*password=\)\(.*\)
The second part of that regex ( the \(.*\) should be the string representing the
password.

The patch above adds a fixup function to sysreport to allow you to easily strip
out unwanted data from sensitive files like this
Comment 17 Than Ngo 2005-06-07 08:03:01 UTC 
Neil, i have fixed the match string in your patch, so it works fine now.
i have already committed the changes in CVS.

Should i do security errata for this, or just add into next RHEL-update?
Comment 18 Mark J. Cox 2005-06-07 08:18:31 UTC 
Since this affects all RHEL I'd prefer a single async errata for this.
Comment 19 Mark J. Cox 2005-06-07 08:21:14 UTC 
Since this flaw breaks a security promise it deserves a CVE name, therefore I've
assigned CAN-2005-1760 to this issue.
Comment 28 Josh Bressers 2005-06-13 11:40:16 UTC 
When run by the root user, sysreport includes the contents of the
/etc/sysconfig/rhn/up2date configuration file. If up2date has been
configured to connect to a proxy server that requires an authentication
password, that password is included in plain text in the system report.
The Common Vulnerabilities and Exposures project assigned the name
CAN-2005-1760 to this issue.
Comment 29 Josh Bressers 2005-06-13 12:22:17 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-502.html
Note You need to log in before you can comment on or make changes to this bug.