adtool displays password in proc title
Bug #209315 reported by
Stephan Mueller
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| adtool (Debian) |
Fix Released
|
Undecided
|
Jonathan Wiltshire | ||
| adtool (Ubuntu) |
Fix Released
|
Undecided
|
Jonathan Wiltshire | ||
Bug Description
Binary package hint: adtool
ps -efa shows all arguments supplied for adtool. As one can also supply the password for the Active Directory on the command line, this password is also displayed. Obviously, it should not be displayed. The attached patch changes that.
Unfortunately, this patch only replaces the password characters with NULL without changing argv[] properly. This means that ps -efa displays so many NULLs equal to the length of your password. If someone knows how to solve that in a sane way, please update the patch.
I tried to reach the author via the email specified in AUTHORS and got a mail bounce back.
This issue should be fixed in upstream, but I do not know who is responsible for upstream.
Revision history for this message
| Stephan Mueller (sm-chronox) wrote | #1 |
Revision history for this message
| Kees Cook (kees) wrote | #2 |
| Changed in adtool: | |
| status: | New → Triaged |
| Changed in adtool (Debian): | |
| assignee: | nobody → Jonathan Wiltshire (debian-jwiltshire) |
| status: | New → In Progress |
| Changed in adtool (Ubuntu): | |
| assignee: | nobody → Jonathan Wiltshire (debian-jwiltshire) |
| status: | Triaged → In Progress |
| Changed in adtool (Ubuntu): | |
| status: | In Progress → Fix Released |
| Changed in adtool (Debian): | |
| status: | In Progress → Fix Released |
To post a comment you must log in.
Steve, I've subscribed you since you're the most recent uploader of adtool. This looks like a solvable problem, but probably done in a way so that the argument isn't on the command-line at all.