[Secure-testing-team] Bug#511893: ucf stores diff (of private files) in debconf (world readable)

Alexander Gerasiov gq at cs.msu.su
Thu Jan 15 13:30:41 UTC 2009 

Package: ucf
Version: 3.0011
Severity: grave
Tags: security

How to reproduce:
root at vice:/tmp/ucftest# cat test1 
password="secret";
user="root";
start="no";
foor="bar";
root at vice:/tmp/ucftest# 

Lets install it:
root at vice:/tmp/ucftest# ucf test1 /tmp/ucftest/installed

Creating config file /tmp/ucftest/installed with new version
root at vice:/tmp/ucftest# 

Now we will change password from "secret" to "verysecret" :)

And will intall upgraded package :)

root at vice:/tmp/ucftest# cat test2 
password="secret";
user="root";
start="no";
foor="bar";
bar="foo";
root at vice:/tmp/ucftest# ucf test2 /tmp/ucftest/installed
Replacing config file /tmp/ucftest/installed with new version

When ucf asks for comfirm I look at diff.

And now lets search trought debconf database /var/cache/debconf/config.dat:
OMG!

=====
Name: ucf/show_diff
Template: ucf/show_diff
Value: 
Owners: ucf
Flags: seen
Variables:
 DIFF = --- /tmp/ucftest/installed 2009-01-15 16:19:18.122649009 +0300\n+++ /tmp/ucftest/test2 2009-01-15 16:19:08.263149119 +0300\n@@ -1,4 +1,5 @@\n-password="verysecret";\n+password="secret";\n user="root";\n start="no";\n foor="bar";\n+bar="foo";
=====

/var/cache/debconf/config.dat is world readable.


-- System Information:
Debian Release: 5.0
  APT prefers testing-proposed-updates
  APT policy: (700, 'testing-proposed-updates'), (700, 'testing'), (670, 'proposed-updates'), (670, 'stable'), (600, 'unstable'), (550, 'experimental')
Architecture: i386 (x86_64)

Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages ucf depends on:
ii  coreutils                     6.10-6     The GNU core utilities
ii  debconf                       1.5.24     Debian configuration management sy

ucf recommends no packages.

ucf suggests no packages.

-- debconf information:
* ucf/show_diff:
* ucf/changeprompt_threeway: install_new
  ucf/title:
* ucf/changeprompt: install_new

More information about the Secure-testing-team mailing list