txlongpoll.yaml contains password but is world readable

Bug #1254034 reported by James Troup
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
maas (Ubuntu)
Fix Released
Undecided
Andres Rodriguez

Bug Description

/etc/maas/txlongpoll.yaml contains a password but is shipped world readable

| nobody@polong:/$ cat /etc/maas/txlongpoll.yaml

[...]

| ## Message broker configuration.
| #
| broker:
| host: "localhost"
| port: 5672
| username: "maas_longpoll"
| password: "XXXXXXXXXXXXXXXXXX"
   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
| vhost: "/maas_longpoll"
|
| ## Where to log. This log can be rotated by sending SIGUSR1 to the
| ## running server.
| #
| # logfile: "txlongpoll.log"
| logfile: "/var/log/maas/txlongpoll.log"
| nobody@polong:/$

Revision history for this message
James Troup (elmo) wrote :

james@polong:~$ dpkg -c /var/cache/apt/archives/maas-region-controller_1.2+bzr1373+dfsg-0ubuntu1~12.04.4_all.deb | grep txlongpoll.yaml
-rw-r--r-- root/root 856 2013-11-02 06:23 ./etc/maas/txlongpoll.yaml

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This is CVE-2013-1069

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Andres,

Could you take a look at this, please?

Changed in maas (Ubuntu):
assignee: nobody → Andres Rodriguez (andreserl)
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Any progress on this?

Revision history for this message
Andres Rodriguez (andreserl) wrote :

Attached the patch above.

Revision history for this message
Andres Rodriguez (andreserl) wrote :

Attached wrong patch, here is the correct one.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks for the patch, but it did not fix the permissions of an existing file upon upgrade.

I've attached a patch that fixes permissions of the file upon upgrade; please add this, or something very similar, to the postinst for the trusty packaging. I have added this stanza to the packaging for precise, quantal, and saucy releases. I believe we can remove it for the 14.10 release, probably MAAS users will jump from one LTS to the next.

Thanks

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package maas - 1.4+bzr1693+dfsg-0ubuntu2.3

---------------
maas (1.4+bzr1693+dfsg-0ubuntu2.3) saucy-security; urgency=low

  * SECURITY UPDATE: incorrect Content-type header allowed cross-site
    scripting vulnerability if an unknown API was used. (LP: #1251336)
    - debian/patches/CVE-2013-1070.patch: Use Content-type text/plain to force
      browsers to not render error messages as HTML.
    - CVE-2013-1070
  * SECURITY UPDATE: /etc/maas/txlongpoll.yaml contained a publicly readable
    password. (LP: #1254034)
    - debian/maas-region-controller-min.postinst: chown and chmod
      /etc/maas/txlongpoll.yaml with correct permissions
    - CVE-2013-1069
 -- Seth Arnold <email address hidden> Tue, 11 Feb 2014 12:16:40 -0800

Changed in maas (Ubuntu):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package maas - 1.2+bzr1373+dfsg-0ubuntu1~12.04.5

---------------
maas (1.2+bzr1373+dfsg-0ubuntu1~12.04.5) precise-security; urgency=low

  * SECURITY UPDATE: incorrect Content-type header allowed cross-site
    scripting vulnerability if an unknown API was used. (LP: #1251336)
    - debian/patches/CVE-2013-1070.patch: Use Content-type text/plain to force
      browsers to not render error messages as HTML.
    - CVE-2013-1070
  * SECURITY UPDATE: /etc/maas/txlongpoll.yaml contained a publicly readable
    password. (LP: #1254034)
    - debian/maas-region-controller.postinst: chown and chmod
      /etc/maas/txlongpoll.yaml with correct permissions
    - CVE-2013-1069
 -- Seth Arnold <email address hidden> Mon, 10 Feb 2014 22:49:35 -0800

Changed in maas (Ubuntu):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package maas - 1.2+bzr1373+dfsg-0ubuntu1.2

---------------
maas (1.2+bzr1373+dfsg-0ubuntu1.2) quantal-security; urgency=low

  * SECURITY UPDATE: incorrect Content-type header allowed cross-site
    scripting vulnerability if an unknown API was used. (LP: #1251336)
    - debian/patches/CVE-2013-1070.patch: Use Content-type text/plain to force
      browsers to not render error messages as HTML.
    - CVE-2013-1070
  * SECURITY UPDATE: /etc/maas/txlongpoll.yaml contained a publicly readable
    password. (LP: #1254034)
    - debian/maas-region-controller.postinst: chown and chmod
      /etc/maas/txlongpoll.yaml with correct permissions
    - CVE-2013-1069
 -- Seth Arnold <email address hidden> Tue, 11 Feb 2014 12:07:50 -0800

Changed in maas (Ubuntu):
status: New → Fix Released
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.