This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 456612 - (CVE-2007-5626) CVE-2007-5626 bacula: MySQL Director Password Disclosure Weakness
CVE-2007-5626 bacula: MySQL Director Password Disclosure Weakness
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: bacula (Show other bugs)
rawhide
All Linux
medium Severity low
: ---
: ---
Assigned To: Andreas Thienemann
Fedora Extras Quality Assurance
: FutureFeature, Security
Depends On:
Blocks: 841601
  Show dependency treegraph
 
Reported: 2008-07-24 18:34 EDT by Felix Schwarz
Modified: 2013-02-13 12:02 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-08-26 23:27:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Felix Schwarz 2008-07-24 18:34:04 EDT
From the CVE description:
"make_catalog_backup in Bacula 2.2.5, and probably earlier, sends a MySQL
password as a command line argument, and sometimes transmits cleartext e-mail
containing this command line, which allows context-dependent attackers to obtain
the password by listing the process and its arguments, or by sniffing the network."

http://www.bacula.org/en/rel-manual/Catalog_Maintenance.html#SECTION0024130000000000000000

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5626
http://www.net-security.org/advisory.php?id=9098
http://www.securityfocus.com/archive/1/494604
http://secunia.com/advisories/27243

http://bugs.bacula.org/view.php?id=990
https://bugs.gentoo.org/show_bug.cgi?id=196834
Comment 1 Felix Schwarz 2008-07-24 18:35:03 EDT
Forgot to mention that this bug is present in F8, F9, devel and EPEL 5.
Comment 2 Tomas Hoger 2008-07-25 05:48:58 EDT
Removing groups to make bug publicly accessible.  There is no need to keep it
private.

Felix, what is your expected fix for this?  Upstream treats this as
documentation issue and it as treated as such.  Do you propose to diverge from
upstream and use modified scripts using environment or my.cnf file by default?
Comment 3 Christopher D. Stover 2008-10-26 23:43:45 EDT
Felix, could you please reply to the previous question? If you don't reply in one month, I will have to close this bug as INSUFFICIENT_DATA. Thank you. 

Andreas or Tomas -- Either of you have any other ideas on this or should it be closed?
Comment 4 Felix Schwarz 2008-10-27 02:31:56 EDT
Sorry about my inactivity here. The only real solution would be (imho) to use neither command line arguments nor environment variables. So I guess the solution would be to add config files like my.cfg for MySQL to /etc/bacula where the password should be stored and remove the usage of command line parameters from the catalog backup scripts.

Disadvantage: The user has to enter his password twice (bacula-dir.conf, my.cnf).

If there is a solution we agree on, I can build a patch for the bacula rpm.
Comment 5 Simone Caronni 2012-07-18 05:36:25 EDT
Hello,

I'm doing some housekeeping in Bacula bugs, any news regarding this or it can be closed with INSUFFICIENT_DATA as in comment #3?

Thanks,
--Simone
Comment 6 Tomas Hoger 2012-07-19 10:16:07 EDT
AFAICS, make_catalog_backup in bacula-director-5.2.10-4.fc18 still calls mysqldump with password as command line argument.  It is also passed to the script as command line argument, with the following warning in the script:

#  $3 is the password with which to access the database or "" if no password
#     (default ""). WARNING!!! Passing the password via the command line is.
#     insecure and should not be used since any user can display the command.
#     line arguments and the environment using ps.  Please consult your
#     MySQL or PostgreSQL manual for secure methods of specifying the
#     password.
Comment 7 Simone Caronni 2012-07-19 10:51:16 EDT
1) Fedora 17 (5.2.0+):

I will remove it. It is not referenced by anything in Bacula and as stated in the manual is just an example.

In the same directory exists a newer "make_catalog_backup.pl" which reads the same password bacula-dir uses from the config file and is the one used by the catalog backup job to backup the database.

2) Fedora 16 (5.0.3):

Only make_catalog_backup.pl is available.

3) Epel 5 (2.4.4)

There is no perl variant, only the script one is available and is referenced in the default job.

I can put the same perl script in the Epel 5 package with a symlink, but the job needs to be changed like it is in 5.0.3; so from:

  # This creates an ASCII copy of the catalog
  # WARNING!!! Passing the password via the command line is insecure.
  # see comments in make_catalog_backup for details.
  # Arguments to make_catalog_backup are:
  #  make_catalog_backup <database-name> <user-name> <password> <host>
  RunBeforeJob = "@scriptdir@/make_catalog_backup @db_name@ @db_user@"

to 

  # This creates an ASCII copy of the catalog
  # Arguments to make_catalog_backup.pl are:
  #  make_catalog_backup.pl <catalog-name>
  RunBeforeJob = "/usr/libexec/bacula/make_catalog_backup.pl MyCatalog"
  # This deletes the copy of the catalog
Comment 8 Simone Caronni 2012-07-20 04:11:15 EDT
Removed the script in f17 packages.
Comment 9 Simone Caronni 2012-07-30 06:43:06 EDT
Sorry for the delay, I was pretty busy.

I created a build for RHEL 5 with the perl variant included:

http://koji.fedoraproject.org/koji/buildinfo?buildID=344922

The default config file and everything point at it, so for new installations this is not a problem. Any idea on how to make the change in the director config file for the user?

From:

RunBeforeJob = "/usr/libexec/bacula/make_catalog_backup database user (and maybe host and port)"

To:

RunBeforeJob = "/usr/libexec/bacula/make_catalog_backup.pl MyCatalog"

Where the "MyCatalog" tag is taken from the relevant stanza in the director's config file.

Is it ok to execute in the %post section of the package a sed command on the user's configuration file?

Thanks,
--Simone
Comment 10 Fedora Update System 2012-08-10 04:13:13 EDT
bacula-5.2.10-5.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/bacula-5.2.10-5.fc17
Comment 11 Tomas Hoger 2012-08-10 04:40:32 EDT
(In reply to comment #9)
> Is it ok to execute in the %post section of the package a sed command on the
> user's configuration file?

Such edits are usually considered something that should be avoided.  If it's config file, and the default configuration in rpm was changed, users with the default config should get it and those with modified should have it as .rpmnew.
Comment 12 Simone Caronni 2012-08-10 04:42:30 EDT
Thanks, and how are the users notified of the change?
Comment 13 Tomas Hoger 2012-08-10 05:08:29 EDT
When rpm creates a .rpmnew or .rpmsave during the package installation, it prints a message about it.
Comment 14 Simone Caronni 2012-08-10 05:11:26 EDT
Ok then, if the normal rpm logic is enough I'm ready. bacula-2.4.4-7.el5 is pending stable, as soon as it enters it I'm gonna push bacula-2.4.4-10.el5 which fixes this and other bugs.

Regards,
--Simone
Comment 15 Fedora Update System 2012-08-10 09:15:39 EDT
bacula-2.4.4-10.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/bacula-2.4.4-10.el5
Comment 16 Fedora Update System 2012-08-10 14:39:41 EDT
Package bacula-2.4.4-10.el5:
* should fix your issue,
* was pushed to the Fedora EPEL 5 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing bacula-2.4.4-10.el5'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2012-6674/bacula-2.4.4-10.el5
then log in and leave karma (feedback).
Comment 17 Fedora Update System 2012-08-26 23:27:16 EDT
bacula-5.2.10-5.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Fedora Update System 2012-08-27 13:00:51 EDT
bacula-2.4.4-10.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Robert Scheck 2012-09-25 18:38:28 EDT
Simone, the "fix" that you included into Bacula in EPEL 5 simply breaks
everything related to /usr/libexec/bacula/make_catalog_backup.pl: That
script calls "dbcheck -B".

First mistake is, that this is a copy of bscan.variant and not of the more
correct dbcheck.variant. Second mistake is that "dbcheck -B" is absolutely
not supported in such an old version of Bacula. I tried to backport that,
but it seems that it is not that trivial because the changed code also has
a dependency on other Bacula code parts that have been rewritten in parts.

Why the heck did you not proper test this before breaking things that way
and even incompatible? I expect packagers to do a good job including tests
of their work - this is EPEL, not Fedora!
Comment 20 Robert Scheck 2012-09-25 19:45:57 EDT
Okay...I think, I managed to write a proper patch. However, I still expect
somebody modifying a package to test the changes at least once - which did
not happen here obviously (make_catalog_backup.pl even failed a Perl syntax
check). The "dbcheck -B" works here, make_catalog_backup.pl backups as it's
expected and dbcheck/bscan/bcopy base on the proper database variant while
dbcheck is really dbcheck and not bscan anymore.
Comment 21 Fedora Update System 2012-09-25 19:55:25 EDT
bacula-2.4.4-12.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/bacula-2.4.4-12.el5
Comment 22 Fedora Update System 2012-10-15 13:59:21 EDT
bacula-2.4.4-12.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 23 Stefan Cornelius 2013-02-12 04:47:04 EST
The affected script is still shipped as part of Red Hat Enterprise Linux 6. However, it is not used by default and there are security warnings within the script itself and the relevant documentation:

http://www.bacula.org/en/dev-manual/main/main/Catalog_Maintenance.html#SECTION0042140000000000000000

or /usr/share/doc/bacula-docs-5.0.0/main.pdf chapter 42 section 14.

The default configuration uses make_catalog_backup.pl script, which is not affected by this issue.

Statement:

The Red Hat Security Response Team has rated this issue as having low security impact. This issue is not currently planned to be addressed in Red Hat Enterprise Linux 6. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Note You need to log in before you can comment on or make changes to this bug.