txlongpoll.yaml contains password but is world readable

Bug #1254034 reported by James Troup on 2013-11-22
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
maas (Ubuntu)
Undecided
Andres Rodriguez

Bug Description

/etc/maas/txlongpoll.yaml contains a password but is shipped world readable

| nobody@polong:/$ cat /etc/maas/txlongpoll.yaml

[...]

| ## Message broker configuration.
| #
| broker:
| host: "localhost"
| port: 5672
| username: "maas_longpoll"
| password: "XXXXXXXXXXXXXXXXXX"
   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
| vhost: "/maas_longpoll"
|
| ## Where to log. This log can be rotated by sending SIGUSR1 to the
| ## running server.
| #
| # logfile: "txlongpoll.log"
| logfile: "/var/log/maas/txlongpoll.log"
| nobody@polong:/$

James Troup (elmo) wrote :

james@polong:~$ dpkg -c /var/cache/apt/archives/maas-region-controller_1.2+bzr1373+dfsg-0ubuntu1~12.04.4_all.deb | grep txlongpoll.yaml
-rw-r--r-- root/root 856 2013-11-02 06:23 ./etc/maas/txlongpoll.yaml

Marc Deslauriers (mdeslaur) wrote :

This is CVE-2013-1069

Marc Deslauriers (mdeslaur) wrote :

Andres,

Could you take a look at this, please?

Changed in maas (Ubuntu):
assignee: nobody → Andres Rodriguez (andreserl)
Jamie Strandboge (jdstrand) wrote :

Any progress on this?

Andres Rodriguez (andreserl) wrote :

Attached the patch above.

Andres Rodriguez (andreserl) wrote :

Attached wrong patch, here is the correct one.

Seth Arnold (seth-arnold) wrote :

Thanks for the patch, but it did not fix the permissions of an existing file upon upgrade.

I've attached a patch that fixes permissions of the file upon upgrade; please add this, or something very similar, to the postinst for the trusty packaging. I have added this stanza to the packaging for precise, quantal, and saucy releases. I believe we can remove it for the 14.10 release, probably MAAS users will jump from one LTS to the next.

Thanks

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package maas - 1.4+bzr1693+dfsg-0ubuntu2.3

---------------
maas (1.4+bzr1693+dfsg-0ubuntu2.3) saucy-security; urgency=low

  * SECURITY UPDATE: incorrect Content-type header allowed cross-site
    scripting vulnerability if an unknown API was used. (LP: #1251336)
    - debian/patches/CVE-2013-1070.patch: Use Content-type text/plain to force
      browsers to not render error messages as HTML.
    - CVE-2013-1070
  * SECURITY UPDATE: /etc/maas/txlongpoll.yaml contained a publicly readable
    password. (LP: #1254034)
    - debian/maas-region-controller-min.postinst: chown and chmod
      /etc/maas/txlongpoll.yaml with correct permissions
    - CVE-2013-1069
 -- Seth Arnold <email address hidden> Tue, 11 Feb 2014 12:16:40 -0800

Changed in maas (Ubuntu):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package maas - 1.2+bzr1373+dfsg-0ubuntu1~12.04.5

---------------
maas (1.2+bzr1373+dfsg-0ubuntu1~12.04.5) precise-security; urgency=low

  * SECURITY UPDATE: incorrect Content-type header allowed cross-site
    scripting vulnerability if an unknown API was used. (LP: #1251336)
    - debian/patches/CVE-2013-1070.patch: Use Content-type text/plain to force
      browsers to not render error messages as HTML.
    - CVE-2013-1070
  * SECURITY UPDATE: /etc/maas/txlongpoll.yaml contained a publicly readable
    password. (LP: #1254034)
    - debian/maas-region-controller.postinst: chown and chmod
      /etc/maas/txlongpoll.yaml with correct permissions
    - CVE-2013-1069
 -- Seth Arnold <email address hidden> Mon, 10 Feb 2014 22:49:35 -0800

Changed in maas (Ubuntu):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package maas - 1.2+bzr1373+dfsg-0ubuntu1.2

---------------
maas (1.2+bzr1373+dfsg-0ubuntu1.2) quantal-security; urgency=low

  * SECURITY UPDATE: incorrect Content-type header allowed cross-site
    scripting vulnerability if an unknown API was used. (LP: #1251336)
    - debian/patches/CVE-2013-1070.patch: Use Content-type text/plain to force
      browsers to not render error messages as HTML.
    - CVE-2013-1070
  * SECURITY UPDATE: /etc/maas/txlongpoll.yaml contained a publicly readable
    password. (LP: #1254034)
    - debian/maas-region-controller.postinst: chown and chmod
      /etc/maas/txlongpoll.yaml with correct permissions
    - CVE-2013-1069
 -- Seth Arnold <email address hidden> Tue, 11 Feb 2014 12:07:50 -0800

Changed in maas (Ubuntu):
status: New → Fix Released
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers