Your message dated Fri, 21 Mar 2008 07:52:17 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#439392: fixed in backup-manager 0.7.5-4
has caused the Debian Bug report #439392,
regarding backup-manager: password disclosure in backup uploads
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
439392: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=439392
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: backup-manager
Version: 0.7.5-3
Severity: critical
Tags: security
Justification: root security hole
Hi,
I just discovered that backup-manager disclosures the FTP password
during a running FTP upload in the process list.
A user which has shell access on the computer simply needs to run the command
ps wax | grep backup-manager
to get the FTP username, hostname and password. The output is something
like (I replaced here the sensitive data by FTPHOST, FTPUSER and FTPPASS):
3796 pts/1 SN+ 0:00 /bin/bash /usr/sbin/backup-manager -v
12647 pts/1 RN+ 0:47 /usr/bin/perl /usr/bin/backup-manager-upload -v
--ftp-purge -m=ftp -h=FTPHOST -u=FTPUSER -p=FTPPASS ...
With these data the attacking user is able to login into the same FTP
space where the archives created by backup-manager are uploaded to. So
the attacking user is also able to simply download these archive and
extract them as a normal user -- with full access on all included files,
even on those originally accessible by root only. :-(
Have a nice day
Micha
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-k7
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages backup-manager depends on:
ii debconf [debconf-2.0] 1.5.11 Debian configuration management sy
ii findutils 4.2.28-1 utilities for finding files--find,
ii gzip 1.3.5-15 The GNU compression utility
ii ucf 2.0020 Update Configuration File: preserv
backup-manager recommends no packages.
-- debconf information excluded
--- End Message ---
--- Begin Message ---
Source: backup-manager
Source-Version: 0.7.5-4
We believe that the bug you reported is fixed in the latest version of
backup-manager, which is due to be installed in the Debian FTP archive:
backup-manager-doc_0.7.5-4_all.deb
to pool/main/b/backup-manager/backup-manager-doc_0.7.5-4_all.deb
backup-manager_0.7.5-4.diff.gz
to pool/main/b/backup-manager/backup-manager_0.7.5-4.diff.gz
backup-manager_0.7.5-4.dsc
to pool/main/b/backup-manager/backup-manager_0.7.5-4.dsc
backup-manager_0.7.5-4_all.deb
to pool/main/b/backup-manager/backup-manager_0.7.5-4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <[EMAIL PROTECTED]> (supplier of updated backup-manager package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 15 Mar 2008 22:34:06 +0100
Source: backup-manager
Binary: backup-manager backup-manager-doc
Architecture: source all
Version: 0.7.5-4
Distribution: stable-security
Urgency: high
Maintainer: Alexis Sukrieh <[EMAIL PROTECTED]>
Changed-By: Thijs Kinkhorst <[EMAIL PROTECTED]>
Description:
backup-manager - command-line backup tool
backup-manager-doc - documentation package for Backup Manager
Closes: 439392
Changes:
backup-manager (0.7.5-4) stable-security; urgency=high
.
* Backport from unstable (version 0.7.6-4) for closing a security issue:
FTP password disclosure during FTP uploads. Uses maintainer-supplied
patch. Closes: #439392. CVE-2007-4656.
Files:
e63192d8ad7753a47baaae9c9df26f25 1036 admin optional backup-manager_0.7.5-4.dsc
76e1c9cea0b8fb210d3862fd89e09c08 159855 admin optional
backup-manager_0.7.5.orig.tar.gz
4c4e6282b938b98e9488d44243d7bb96 98048 admin optional
backup-manager_0.7.5-4.diff.gz
bcb8c5d8902e36ac0348c94a84cf04cb 109278 admin optional
backup-manager_0.7.5-4_all.deb
d97a5222cf45f9feb451ffb9c0c66164 219546 doc optional
backup-manager-doc_0.7.5-4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBR9xBVmz0hbPcukPfAQJeUwf8Cxh8WlsiwpC4NvECul6ExmFbaID+UDS+
JF2tENyO9r9TnZAlzTKlHCQK8FdFHndO+/bFM3nzhTGD/2EX9uRSetWPtlzn/eXB
fmP7AtkYoq+pb0ihGYNLhN89z2EeRitVW7OQxr9aZh6un6IGWiwSSpqaV1VTs3mn
h1GB+mIlLbA3FA03uVgN56rHMjsP6oeOJiLA/HyBYpP94w6TtkQyH89wggcH6wvg
SQG9Nqwet8ELq/D9KmYAZevtQE5OTNXSUaJaADhc7JSoGgrHcIA9HchoJklI2VWf
M93gQpSa23CPlquwsvFTaqqY5FX5pgFWrUZ0pch8A7SvDbLK4Xi6Cw==
=1W4A
-----END PGP SIGNATURE-----
--- End Message ---