* Tidy up after Malone bug #34606, which left passwords exposed in
/var/log/installer/cdebconf/questions.dat, by removing those passwords;
for good measure, make /var/log/installer/cdebconf/* world-unreadable if
this bug is detected.
-- Colin Watson <email address hidden> Sun, 12 Mar 2006 21:43:40 +0000
* Tidy up after Malone bug #34606, which left passwords exposed in
/var/log/installer/cdebconf/questions.dat, by removing those passwords
when base-config runs; for good measure, make
/var/log/installer/cdebconf/* world-unreadable if this bug is detected.
-- Colin Watson <email address hidden> Sun, 12 Mar 2006 22:28:05 +0000
shadow deals with upgraders, and base-config deals with people doing fresh installs from CD images they've built themselves from breezy + breezy-security (which is more of a corner case, but it won't be obvious to most people why the shadow fix can't cover fresh installs).
Dapper:
shadow (1:4.0.13-7ubuntu2) dapper; urgency=low
* Tidy up after Malone bug #34606, which left passwords exposed in
/var/log/installer/cdebconf/questions.dat, by removing those passwords;
for good measure, make /var/log/installer/cdebconf/* world-unreadable if
this bug is detected.
-- Colin Watson <email address hidden> Sun, 12 Mar 2006 22:45:32 +0000
This mirrors the breezy-security change. There's no base-config change because base-config is no longer used in Dapper, and since this bug only manifests in some very strange circumstances in Dapper it's not necessary to do that kind of post-install cleanup there.
cdebconf (0.97ubuntu2) dapper; urgency=low
* Backport from trunk:
- Honour accept_types/reject_types for questions registered against
templates that were received in DATA commands over passthrough. This
was one of the root causes of Ubuntu's recent installer password
disclosure vulnerability (CVE-2006-1183).
-- Colin Watson <email address hidden> Mon, 13 Mar 2006 02:08:16 +0000
This fixes one of the two fundamental issues that caused this bug. (The other was in initial-passwd-udeb, which Dapper no longer uses, which is part of the reason it largely doesn't suffer from this.)
cdebconf (0.97ubuntu3) dapper; urgency=low
* Backport from trunk:
- Reset question template pointers whenever they change, not just when
the tag changes; do this in X_LOADTEMPLATEFILE and dpkg-reconfigure as
well as debconf-loadtemplate.
- Add a remove method to the question database; use this to migrate
questions to the correct stacked database in the event that their
types change (fixes preseeded passwords ending up in questions.dat on
the installed system in some cases).
* Add CVE number to 0.97ubuntu2 changelog entry.
-- Colin Watson <email address hidden> Mon, 13 Mar 2006 13:43:30 +0000
This fixes a more subtle issue, namely that preseeded installs of Dapper where the preseed file had incorrect types for the password questions (that is, any type other than "password") would finish up with the preseeded password in /var/log/installer/cdebconf/questions.dat. We need a debian-installer upload for these cdebconf changes to take effect, which I'm going to do shortly.
Finally, changes from Debian to installation-report and prebaseconfig for Dapper are waiting in the wings to make all the installation logs readable by root only.
So, here's the set of stuff that I've released so far for this bug.
Breezy security updates:
shadow (1:4.0.3-37ubuntu8) breezy-security; urgency=low
* Tidy up after Malone bug #34606, which left passwords exposed in log/installer/ cdebconf/ questions. dat, by removing those passwords; installer/ cdebconf/ * world-unreadable if
/var/
for good measure, make /var/log/
this bug is detected.
-- Colin Watson <email address hidden> Sun, 12 Mar 2006 21:43:40 +0000
base-config (2.67ubuntu20) breezy-security; urgency=low
* Tidy up after Malone bug #34606, which left passwords exposed in log/installer/ cdebconf/ questions. dat, by removing those passwords log/installer/ cdebconf/ * world-unreadable if this bug is detected.
/var/
when base-config runs; for good measure, make
/var/
-- Colin Watson <email address hidden> Sun, 12 Mar 2006 22:28:05 +0000
shadow deals with upgraders, and base-config deals with people doing fresh installs from CD images they've built themselves from breezy + breezy-security (which is more of a corner case, but it won't be obvious to most people why the shadow fix can't cover fresh installs).
Dapper:
shadow (1:4.0.13-7ubuntu2) dapper; urgency=low
* Tidy up after Malone bug #34606, which left passwords exposed in log/installer/ cdebconf/ questions. dat, by removing those passwords; installer/ cdebconf/ * world-unreadable if
/var/
for good measure, make /var/log/
this bug is detected.
-- Colin Watson <email address hidden> Sun, 12 Mar 2006 22:45:32 +0000
This mirrors the breezy-security change. There's no base-config change because base-config is no longer used in Dapper, and since this bug only manifests in some very strange circumstances in Dapper it's not necessary to do that kind of post-install cleanup there.
cdebconf (0.97ubuntu2) dapper; urgency=low
* Backport from trunk: types/reject_ types for questions registered against
- Honour accept_
templates that were received in DATA commands over passthrough. This
was one of the root causes of Ubuntu's recent installer password
disclosure vulnerability (CVE-2006-1183).
-- Colin Watson <email address hidden> Mon, 13 Mar 2006 02:08:16 +0000
This fixes one of the two fundamental issues that caused this bug. (The other was in initial- passwd- udeb, which Dapper no longer uses, which is part of the reason it largely doesn't suffer from this.)
cdebconf (0.97ubuntu3) dapper; urgency=low
* Backport from trunk: loadtemplate.
- Reset question template pointers whenever they change, not just when
the tag changes; do this in X_LOADTEMPLATEFILE and dpkg-reconfigure as
well as debconf-
- Add a remove method to the question database; use this to migrate
questions to the correct stacked database in the event that their
types change (fixes preseeded passwords ending up in questions.dat on
the installed system in some cases).
* Add CVE number to 0.97ubuntu2 changelog entry.
-- Colin Watson <email address hidden> Mon, 13 Mar 2006 13:43:30 +0000
This fixes a more subtle issue, namely that preseeded installs of Dapper where the preseed file had incorrect types for the password questions (that is, any type other than "password") would finish up with the preseeded password in /var/log/ installer/ cdebconf/ questions. dat. We need a debian-installer upload for these cdebconf changes to take effect, which I'm going to do shortly.
Finally, changes from Debian to installation-report and prebaseconfig for Dapper are waiting in the wings to make all the installation logs readable by root only.