Ubuntu
sshpass package

password passed through -e by environment is leaked in /proc

Bug #1649374 reported by Xianfeng Zhao
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sshpass (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

run sshpass as following

SSHPASS="password" /usr/bin/sshpass -e ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null user@localhost

user@Ubuntu14-VM:/proc/49571$ cat environ
SSHPASS=password ...

password is leaked here.

Recommendation:

SSHPASS should be cleared after use.

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: sshpass 1.05-1
ProcVersionSignature: Ubuntu 3.13.0-39.66-generic 3.13.11.8
Uname: Linux 3.13.0-39-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.5
Architecture: amd64
Date: Mon Dec 12 13:44:35 2016
Dependencies:
 gcc-4.9-base 4.9.1-0ubuntu1
 libc6 2.19-0ubuntu6.3
 libgcc1 1:4.9.1-0ubuntu1
 multiarch-support 2.19-0ubuntu6.3
InstallationDate: Installed on 2014-04-22 (965 days ago)
InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417)
ProcEnviron:
 TERM=xterm
 PATH=(custom, no username)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: sshpass
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Shachar Shemesh (shachar-shemesh) wrote :

Fixed in upstream. Will be released in sshpass 1.08

Changed in sshpass (Ubuntu):
status: New → Fix Committed
Revision history for this message
Shachar Shemesh (shachar-shemesh) wrote :

In the future, please post such bugs to the upstream project's bug tracker. It was pure chance I saw it here.

Shachar Shemesh (shachar-shemesh)
Changed in sshpass (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.