Red Hat Bugzilla – Bug 293091
Please erase the password in address space as soon as it is used
Last modified: 2007-11-30 17:12:15 EST
The ncftp part: argv or anything else should not contain the plaintext
password no longer that it is absolutely needful. Some programs just overwrite
the password with '*' characters or something similar, and it won't be pointless
+++ This bug was initially created as a clone of Bug #293081 +++
Description of problem:
When duplicity's FTP backend calls ncftp, it passws the password argument via
command line. That's bad -- anyone can see that. On the other side, it's a very
good practice to overwrite the password string in the address space wfter it's
used, though it can still be viewed under a time-dependent race condition,
that's why I am cloning this to ncftp also.
See URL for the Deban BTS entry  for more details.
If ncftp uses the password multiple times, please copy it away from argv and
overwrite the argv substring. Also, please modify the manual to emphasize that
passing the password via command line is unsafe.
This is really not the best place for these kind of bug reports : I am not the
upstream author, and this isn't a Fedora specific problem at all.
Please go through the official contact method to report the problem :
I'll be more than happy to include an official patch or update to a new version
once the problem is fixed upstream.
I have a problem with a Fedora package, so I did report this to my usptream,
which is the Fedora project :)
I did no research on whether this is a Fedora specific problem and have no idea
whether upstream would accept the fix. I would say it's up to maintainer.
Anyways, the problem seems simple, so if you don't feel like fixing it or
communicating it to the upstream, please don't close the bug, but reassign it to me.
Reassigning to you, then.
I'll also drop a line to Mike Gleason (the author) about this.
Got an answer from Mike :
"Perhaps he's using an older version; we already erase it as soon as
(void) STRNCPY(gConn.pass, opt.arg); /*
Don't recommend doing this! */
memset(opt.arg, '*', strlen(opt.arg));
Indeed, I just tried "ncftp -uftp -pftp ftp" and see :
27179 pts/1 S+ 0:00 ncftp -u*** -p*** ftp
So closing as NOTABUG.