So, here's the set of stuff that I've released so far for this bug.


Breezy security updates:

shadow (1:4.0.3-37ubuntu8) breezy-security; urgency=low

  * Tidy up after Malone bug #34606, which left passwords exposed in
    /var/log/installer/cdebconf/questions.dat, by removing those passwords;
    for good measure, make /var/log/installer/cdebconf/* world-unreadable if
    this bug is detected.

 -- Colin Watson <email address hidden>  Sun, 12 Mar 2006 21:43:40 +0000

base-config (2.67ubuntu20) breezy-security; urgency=low

  * Tidy up after Malone bug #34606, which left passwords exposed in
    /var/log/installer/cdebconf/questions.dat, by removing those passwords
    when base-config runs; for good measure, make
    /var/log/installer/cdebconf/* world-unreadable if this bug is detected.

 -- Colin Watson <email address hidden>  Sun, 12 Mar 2006 22:28:05 +0000

shadow deals with upgraders, and base-config deals with people doing fresh installs from CD images they've built themselves from breezy + breezy-security (which is more of a corner case, but it won't be obvious to most people why the shadow fix can't cover fresh installs).


Dapper:

shadow (1:4.0.13-7ubuntu2) dapper; urgency=low

  * Tidy up after Malone bug #34606, which left passwords exposed in
    /var/log/installer/cdebconf/questions.dat, by removing those passwords;
    for good measure, make /var/log/installer/cdebconf/* world-unreadable if
    this bug is detected.

 -- Colin Watson <email address hidden>  Sun, 12 Mar 2006 22:45:32 +0000

This mirrors the breezy-security change. There's no base-config change because base-config is no longer used in Dapper, and since this bug only manifests in some very strange circumstances in Dapper it's not necessary to do that kind of post-install cleanup there.

cdebconf (0.97ubuntu2) dapper; urgency=low

  * Backport from trunk:
    - Honour accept_types/reject_types for questions registered against
      templates that were received in DATA commands over passthrough. This
      was one of the root causes of Ubuntu's recent installer password
      disclosure vulnerability (CVE-2006-1183).

 -- Colin Watson <email address hidden>  Mon, 13 Mar 2006 02:08:16 +0000

This fixes one of the two fundamental issues that caused this bug. (The other was in initial-passwd-udeb, which Dapper no longer uses, which is part of the reason it largely doesn't suffer from this.)

cdebconf (0.97ubuntu3) dapper; urgency=low

  * Backport from trunk:
    - Reset question template pointers whenever they change, not just when
      the tag changes; do this in X_LOADTEMPLATEFILE and dpkg-reconfigure as
      well as debconf-loadtemplate.
    - Add a remove method to the question database; use this to migrate
      questions to the correct stacked database in the event that their
      types change (fixes preseeded passwords ending up in questions.dat on
      the installed system in some cases).
  * Add CVE number to 0.97ubuntu2 changelog entry.

 -- Colin Watson <email address hidden>  Mon, 13 Mar 2006 13:43:30 +0000

This fixes a more subtle issue, namely that preseeded installs of Dapper where the preseed file had incorrect types for the password questions (that is, any type other than "password") would finish up with the preseeded password in /var/log/installer/cdebconf/questions.dat. We need a debian-installer upload for these cdebconf changes to take effect, which I'm going to do shortly.

Finally, changes from Debian to installation-report and prebaseconfig for Dapper are waiting in the wings to make all the installation logs readable by root only.