Control: severity -1 important Control: retitle -1 mysql-server: CVE-2013-2162: Insecure creation of the credential file debian.cnf
Hi On Sat, Jun 08, 2013 at 12:26:35PM +0200, vladz wrote: > Package: mysql-server > Version: 5.5.31+dfsg-0+wheezy1 > Tags: security > > The file "/etc/mysql/debian.cnf", which contains plain text credentials > for the "debian-sys-maint" mysql user, is created in an insecure manner > during the package installation phase. This can lead a non-privileged > local user to disclose its content and use this special account to > perform administration tasks. > > The file is created by the post-installation script: > > $ vim -c "set nu" mysql-5.5-5.5.31+dfsg/debian/mysql-server-5.5.postinst > [...] > 170 dc=$mysql_cfgdir/debian.cnf; > [...] > 176 cat /dev/null > $dc > [...] > 178 echo "[client]" >>$dc > 179 echo "host = localhost" >>$dc > 180 echo "user = debian-sys-maint" >>$dc > 181 echo "password = $pass" >>$dc > [...] > 191 chown 0:0 $dc > 192 chmod 0600 $dc > > There is a time lapse (between lines 176 and 191) where the file > permissions are 644 (settled by the default umask). At this time, a > user can open the file with the O_RDONLY flag and disclose its content > even after the chmod is executed at line 192 (yes, the user's file > descriptor won't be affected by this action). > > Anyway, I suggest to force a umask value to 077 before this file is > created. > > I have a trivial PoC if needed. A CVE id was assigned to this issue: CVE-2013-2162. When you fix this issue please make sure to include the CVE in the changelog. Regards, Salvatore -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

