passwords leaked on command line

Bug #789356 reported by Dustin Kirkland  on 2011-05-27
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mythtv (Ubuntu)
Low
Unassigned

Bug Description

Binary package hint: mythtv

Mysql passwords are leaked on the command line, visible by any local user running "ps".

See:
./debian/mythtv-database.config: while ! echo "show databases;" | mysql --host="$HOST" --user="$USER" --password="$PASSWORD" >/dev/null 2>&1; do
./mythplugins/mythvideo/contrib/videometadata: echo "UPDATE videometadata SET coverfile=\"$THUMB_PATH\" WHERE filename=\"${DATEI}\" ;" | mysql -u $USER --password=$PASSW -D $DATABASE -h $HOST
./mythplugins/mythvideo/contrib/videometadata: echo "UPDATE videometadata SET coverfile=\"$THUMB_PATH\" WHERE filename=\"${DATEI}\" ;" | mysql -u $USER --password=$PASSW -D $DATABASE -h $HOST
./mythplugins/mythvideo/contrib/videometadata:echo "UPDATE videometadata SET showlevel=$SHOWLEVEL WHERE filename LIKE '$RATED_DIR/%' ;" | mysql -u $USER --password=$PASSW -D $DATABASE -h $HOST

and

./debian/mythtv-database.postinst: mysql $SECURITY_INFO $database
./debian/mythtv-database.postinst: mysql $SECURITY_INFO "$database" >/dev/null 2>&1; then
./debian/mythtv-database.postinst: mysql $SECURITY_INFO "$database" >/dev/null 2>&1; then
./debian/mythtv-database.postinst: SECURITY_INFO="--host=\"$hostname\" --user=\"$admin_username\" $admin_password"
./debian/mythtv-database.postinst: mysql $SECURITY_INFO "$database" >/dev/null 2>&1; then
./debian/mythtv-database.postinst: mysql $SECURITY_INFO "$database" >/dev/null 2>&1; then
./debian/mythtv-database.postinst: SECURITY_INFO="--defaults-file=/etc/mysql/debian.cnf"
./debian/mythtv-database.postinst: SECURITY_INFO="--host=\"$hostname\" --user=\"$admin_username\" $admin_password"
./debian/mythtv-database.postinst: if ! echo "SELECT NULL;" | mysql $SECURITY_INFO "$database" >/dev/null 2>&1; then
./debian/mythtv-database.postinst: while ! echo "CREATE DATABASE $database;" | mysql $SECURITY_INFO ; do
./debian/mythtv-database.postinst: if ! echo "SELECT value FROM settings LIMIT 1, 1;" | mysql $SECURITY_INFO "$database" >/dev/null 2>&1; then

The proper fix is to use a --defaults-file containing the password, per:
 * http://dev.mysql.com/doc/refman/5.1/en/option-files.html#option_general_defaults-file

visibility: private → public
Changed in mythtv (Ubuntu):
status: New → Confirmed
Changed in mythtv (Ubuntu):
importance: Undecided → Low
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers