Bug#438375: marked as done (/usr/bin/mysqlreport: shows password as clear text on the console (not hidden))

[Debian Bug Tracking System]

Your message dated Wed, 14 Nov 2007 20:47:10 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#438375: fixed in mysql-dfsg-5.0 5.0.45-2
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

Package: mysql-client-5.0
Version: 5.0.32-7etch1
Severity: normal
File: /usr/bin/mysqlreport


Bugreport: mysqlreport
# mysqlreport v2.5 Sep 1 2006

I found that the script does not hide the password in the interactive
password dialog, this is a security flaw and should be changed.
To reproduce type
mysqlreport --password

I think the following lines are responsible, but am not fit enough in
Perl to change this.

# line 78ff:
if(exists $op{'password'})
{
   if($op{'password'} eq '') # Prompt for password
   {
      Term::ReadKey::ReadMode(2) if $RK;
      print "Password for database user $mycnf{'user'}: ";
      chomp($mycnf{'pass'} = <STDIN>);
      Term::ReadKey::ReadMode(0), print "\n" if $RK;
   }
   else { $mycnf{'pass'} = $op{'password'}; } # Use password given on
command line
}

I reported this bug also to
http://hackmysql.com/feedback

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-686
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)

Versions of packages mysql-client-5.0 depends on:
ii  debianutils                2.17          Miscellaneous utilities
specific t
ii  libc6                      2.3.6.ds1-13  GNU C Library: Shared libraries
ii  libdbd-mysql-perl          3.0008-1      A Perl5 database interface
to the
ii  libdbi-perl                1.53-1        Perl5 database interface by
Tim Bu
ii  libgcc1                    1:4.1.1-21    GCC support library
ii  libmysqlclient15off        5.0.32-7etch1 mysql database client library
ii  libncurses5                5.5-5         Shared libraries for
terminal hand
ii  libreadline5               5.2-2         GNU readline and history
libraries
ii  libstdc++6                 4.1.1-21      The GNU Standard C++ Library v3
ii  libwrap0                   7.6.dbs-13    Wietse Venema's TCP
wrappers libra
ii  mysql-common               5.0.32-7etch1 mysql database common files
(e.g.
ii  perl                       5.8.8-7       Larry Wall's Practical
Extraction
ii  zlib1g                     1:1.2.3-13    compression library - runtime

mysql-client-5.0 recommends no packages.

-- no debconf information

Thanks to you all,
-- 
Martin Weis
PGP-Key: http://datenroulette.de/pgp.php

--- End Message ---

--- Begin Message ---

Source: mysql-dfsg-5.0
Source-Version: 5.0.45-2

We believe that the bug you reported is fixed in the latest version of
mysql-dfsg-5.0, which is due to be installed in the Debian FTP archive:

libmysqlclient15-dev_5.0.45-2_i386.deb
  to pool/main/m/mysql-dfsg-5.0/libmysqlclient15-dev_5.0.45-2_i386.deb
libmysqlclient15off_5.0.45-2_i386.deb
  to pool/main/m/mysql-dfsg-5.0/libmysqlclient15off_5.0.45-2_i386.deb
mysql-client-5.0_5.0.45-2_i386.deb
  to pool/main/m/mysql-dfsg-5.0/mysql-client-5.0_5.0.45-2_i386.deb
mysql-client_5.0.45-2_all.deb
  to pool/main/m/mysql-dfsg-5.0/mysql-client_5.0.45-2_all.deb
mysql-common_5.0.45-2_all.deb
  to pool/main/m/mysql-dfsg-5.0/mysql-common_5.0.45-2_all.deb
mysql-dfsg-5.0_5.0.45-2.diff.gz
  to pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.45-2.diff.gz
mysql-dfsg-5.0_5.0.45-2.dsc
  to pool/main/m/mysql-dfsg-5.0/mysql-dfsg-5.0_5.0.45-2.dsc
mysql-server-5.0_5.0.45-2_i386.deb
  to pool/main/m/mysql-dfsg-5.0/mysql-server-5.0_5.0.45-2_i386.deb
mysql-server_5.0.45-2_all.deb
  to pool/main/m/mysql-dfsg-5.0/mysql-server_5.0.45-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Norbert Tretkowski <[EMAIL PROTECTED]> (supplier of updated mysql-dfsg-5.0 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 14 Nov 2007 20:00:06 +0100
Source: mysql-dfsg-5.0
Binary: libmysqlclient15-dev mysql-client mysql-client-5.0 mysql-server 
mysql-server-5.0 mysql-common libmysqlclient15off
Architecture: source all i386
Version: 5.0.45-2
Distribution: unstable
Urgency: low
Maintainer: Debian MySQL Maintainers <[EMAIL PROTECTED]>
Changed-By: Norbert Tretkowski <[EMAIL PROTECTED]>
Description: 
 libmysqlclient15-dev - MySQL database development files
 libmysqlclient15off - MySQL database client library
 mysql-client - MySQL database client (meta package depending on the latest 
versi
 mysql-client-5.0 - MySQL database client binaries
 mysql-common - MySQL database common files
 mysql-server - MySQL database server (meta package depending on the latest 
versi
 mysql-server-5.0 - MySQL database server binaries
Closes: 349661 368547 421026 426442 426545 426783 430944 435744 438375 442684
Changes: 
 mysql-dfsg-5.0 (5.0.45-2) unstable; urgency=low
 .
   * Package is now team-maintained. (closes: #421026)
 .
   [ Sean Finney ]
   * New/updated debconf translations:
     - Spanish, from Javier Fernández-Sanguino Peña (closes: #426442).
     - German, from Alwin Meschede (closes: #426545).
     - Danish, from Claus Hindsgaul (closes: #426783).
     - French, from Christian Perrier (closes: #430944).
   * Add Recommends on libterm-readkey-perl for mysql-client-5.0 package, used
     by mysqlreport add-on to mask password entry (closes: #438375).
 .
   [ Norbert Tretkowski ]
   * Add myself to uploaders.
   * Suggest usage of an update statement on the user table to change the mysql
     root user password instead using mysqladmin, to catch all root users from
     all hosts. (closes: #435744)
   * Remove informations about a crash in the server during flush-logs when
     having expire_logs_days enabled but log-bin not, this bug was fixed in
     5.0.32 already. (closes: #368547)
   * Disable log_bin option in default config file and add a note to the NEWS
     file. (closes: #349661)
   * Fix FTBFS if build twice in a row. (closes: #442684)
   * Remove check for buggy options from init script.
   * Update innotop to 1.6.0 release.
   * Add mysqlreport and innotop to mysql-client description.
   * Use shorter server version string.
Files: 
 7383495ff303bf9c733089be8453f51f 1231 misc optional mysql-dfsg-5.0_5.0.45-2.dsc
 b20814b76507c6f156481175dfd0b343 291255 misc optional 
mysql-dfsg-5.0_5.0.45-2.diff.gz
 aca35cb95ef1f3863fb53212b2be1e2c 56638 misc optional 
mysql-common_5.0.45-2_all.deb
 0a998f608f0eb0f656eae0419bf92d4c 49884 misc optional 
mysql-server_5.0.45-2_all.deb
 4e763a15d56530e59821f45db2a21d74 47688 misc optional 
mysql-client_5.0.45-2_all.deb
 2af60a1637b9c9c12894a72ef7db75f8 1850116 libs optional 
libmysqlclient15off_5.0.45-2_i386.deb
 157bc4daf0dbca0f5af018d9e743cd32 7004750 libdevel optional 
libmysqlclient15-dev_5.0.45-2_i386.deb
 373e7592db921ca37386ec71fe772408 7493964 misc optional 
mysql-client-5.0_5.0.45-2_i386.deb
 a6f756acddd7fd730ca02da4491da43b 26839808 misc optional 
mysql-server-5.0_5.0.45-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHO1Hqr/RnCw96jQERAjqPAJ9R0u6KGzGLy0YfeeF4jqU+3Y4H9ACgj4lZ
icRwrgk5hT2PbQ6jpkCmAEk=
=1HME
-----END PGP SIGNATURE-----

--- End Message ---