Bug 159502 - CAN-2005-1760 sysreport includes proxy password in cleartext
CAN-2005-1760 sysreport includes proxy password in cleartext
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: sysreport (Show other bugs)
3.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Ngo Than
Ben Levenson
impact=moderate,reported=20050601,sou...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-06-03 03:44 EDT by Issue Tracker
Modified: 2007-11-30 17:07 EST (History)
2 users (show)

See Also:
Fixed In Version: RHSA-2005-502
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-06-13 08:22:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Issue Tracker 2005-06-03 03:44:25 EDT
Escalated to Bugzilla from IssueTracker
Comment 11 Mark J. Cox (Product Security) 2005-06-06 06:34:18 EDT
This has a security conseqence as it breaks a security promise (sysreport says
that it's goals are not to "the invasion of the user's privacy; and the
collection of information that could be detrimental to the integrity of the system."

I don't see this is a Sev1 however, it's security severity "moderate" at the most.
Comment 15 Ngo Than 2005-06-06 14:13:38 EDT
i have taken a look at up2date file, there are 2 lines in this file.

..
proxyPassword[comment]=The password to use for an authenticated proxy
proxyPassword=
..

with following lines it should fix this problem.

cat up2date | grep -vi 'password' > up2date.newfile
mv up2date.newfile up2date
Comment 16 Neil Horman 2005-06-06 14:18:11 EDT
You should be able to get most of the relevant data out of my patch above I
think (which Florian posted).  In /etc/sysconfig/rhn/up2date there should be a
line that matches the regex:
\(.*password=\)\(.*\)
The second part of that regex ( the \(.*\) should be the string representing the
password.

The patch above adds a fixup function to sysreport to allow you to easily strip
out unwanted data from sensitive files like this
Comment 17 Ngo Than 2005-06-07 04:03:01 EDT
Neil, i have fixed the match string in your patch, so it works fine now.
i have already committed the changes in CVS.

Should i do security errata for this, or just add into next RHEL-update?
Comment 18 Mark J. Cox (Product Security) 2005-06-07 04:18:31 EDT
Since this affects all RHEL I'd prefer a single async errata for this.
Comment 19 Mark J. Cox (Product Security) 2005-06-07 04:21:14 EDT
Since this flaw breaks a security promise it deserves a CVE name, therefore I've
assigned CAN-2005-1760 to this issue.
Comment 28 Josh Bressers 2005-06-13 07:40:16 EDT
When run by the root user, sysreport includes the contents of the
/etc/sysconfig/rhn/up2date configuration file. If up2date has been
configured to connect to a proxy server that requires an authentication
password, that password is included in plain text in the system report.
The Common Vulnerabilities and Exposures project assigned the name
CAN-2005-1760 to this issue.
Comment 29 Josh Bressers 2005-06-13 08:22:17 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-502.html

Note You need to log in before you can comment on or make changes to this bug.