Bug#551907: marked as done (mandos-client adds unnecessary files to initrd)

Debian Bug Tracking System Sat, 24 Oct 2009 11:51:55 -0700

Your message dated Sat, 24 Oct 2009 18:17:09 +0000
with message-id <[email protected]>
and subject line Bug#551907: fixed in mandos 1.0.13-1
has caused the Debian Bug report #551907,
regarding mandos-client adds unnecessary files to initrd
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
551907: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=551907
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: mandos-client
Version: 1.0.12-1
Severity: critical
Tags: security
Justification: root security hole

The update-initramfs hook script for mandos client adds several files
into the initrd that are not necessary for its operation. One of the
files being added causes a severe security risk for other mandos
client in case the client acts as a mandos server, as well.

The superfluous files can be found in
initrd_root/etc/conf/conf.d/mandos/

First of all, backup files created by various text editors, for
instance emacsen's "filename~" (notice the tilde) files, are added 
to the initrd.

More importantly, if the mandos server package is installed on the
same computer, the /etc/mandos/mandos.conf and
/etc/mandos/clients.conf will be added to the initrd, as well.

The latter contains the fingerprints of other mandos clients.
If the initrd file was compromised, it would be very easy to to set
up a rogue mandos server in order to snoop the other client's disk 
encryption passwords.

Regards,
Dominik Bodi

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.31.4-via-1
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages mandos-client depends on:
ii  adduser                    3.111         add and remove users and groups
ii  cryptsetup                 2:1.1.0~rc2-1 configures encrypted block devices
ii  libavahi-common3           0.6.25-1      Avahi common library
ii  libavahi-core6             0.6.25-1      Avahi's embeddable mDNS/DNS-SD lib
ii  libc6                      2.10.1-1      GNU C Library: Shared libraries
ii  libgnutls26                2.8.4-1       the GNU TLS library - runtime libr
ii  libgpg-error0              1.6-1         library for common error values an
ii  libgpgme11                 1.2.0-1       GPGME - GnuPG Made Easy

mandos-client recommends no packages.

mandos-client suggests no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: mandos
Source-Version: 1.0.13-1

We believe that the bug you reported is fixed in the latest version of
mandos, which is due to be installed in the Debian FTP archive:

mandos-client_1.0.13-1_amd64.deb
  to pool/main/m/mandos/mandos-client_1.0.13-1_amd64.deb
mandos_1.0.13-1.diff.gz
  to pool/main/m/mandos/mandos_1.0.13-1.diff.gz
mandos_1.0.13-1.dsc
  to pool/main/m/mandos/mandos_1.0.13-1.dsc
mandos_1.0.13-1_all.deb
  to pool/main/m/mandos/mandos_1.0.13-1_all.deb
mandos_1.0.13.orig.tar.gz
  to pool/main/m/mandos/mandos_1.0.13.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Teddy Hogeborn <[email protected]> (supplier of updated mandos package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 22 Oct 2009 00:53:21 +0200
Source: mandos
Binary: mandos mandos-client
Architecture: source amd64 all
Version: 1.0.13-1
Distribution: unstable
Urgency: high
Maintainer: Mandos Maintainers <[email protected]>
Changed-By: Teddy Hogeborn <[email protected]>
Description: 
 mandos     - a server giving encrypted passwords to Mandos clients
 mandos-client - do unattended reboots with an encrypted root file system
Closes: 551907
Changes: 
 mandos (1.0.13-1) unstable; urgency=high
 .
   * New upstream release.
   * Do not copy unnecessary files to initrd (Closes: #551907)
Checksums-Sha1: 
 3d2bdd0be32313ad9aeffcde108fb309dd83165d 1953 mandos_1.0.13-1.dsc
 1b781765f733023c87392d7c21d006bf192b3661 104830 mandos_1.0.13.orig.tar.gz
 d63027984661dbb96386f0ec0eed773658b77789 7516 mandos_1.0.13-1.diff.gz
 82000feec08f5e3a78482e2d9d95bc8694b59ef5 76766 mandos-client_1.0.13-1_amd64.deb
 a1daea2531bc956a87bc7b6a7861324f2aa52150 45256 mandos_1.0.13-1_all.deb
Checksums-Sha256: 
 0e9e564ec535f8959dfddc2b9bed652fbda82dda71e55d7f02b796107a293bd4 1953 
mandos_1.0.13-1.dsc
 671fc9e9e240bd4431760c018fdb3a0dae96313e552ddfd51b265831013cefdd 104830 
mandos_1.0.13.orig.tar.gz
 b27f5be1657bd5c37015d5972f4cc48af8fc3d1139520ad7a76ff6d073f1103c 7516 
mandos_1.0.13-1.diff.gz
 8771b59eff7dcc3023ac57ee4782bfabfe560f7e321046343433be6108e48e2b 76766 
mandos-client_1.0.13-1_amd64.deb
 9899be29da59e303057f7d447aff06df4e8626a20ab166032f98eefd70b1ba00 45256 
mandos_1.0.13-1_all.deb
Files: 
 71ad658ab5e9d423679f7590c3311235 1953 admin extra mandos_1.0.13-1.dsc
 d29aab43926d3bade3a4b3273e2be96c 104830 admin extra mandos_1.0.13.orig.tar.gz
 fc5a2f783bb0b42efb9bf5a6f35b67b3 7516 admin extra mandos_1.0.13-1.diff.gz
 37319b6ff4731b01dfce9e3210d3a4a2 76766 admin extra 
mandos-client_1.0.13-1_amd64.deb
 ca5640ed9faaec671885274b709dc2c6 45256 admin extra mandos_1.0.13-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJK40GCAAoJEBxXDIkOS9Cr5jgP/336NjW6DdODvY6EAjyXo8HZ
VLp/n9ZyN5UUqV+hv3WZsngK6bwAfnxT5svjUgYX11DdHXb5GAQxZcVyxVqbVkoj
QwgN5maKvTuMAYvfrc4uP2y5I3Wt6Y+aZd3igQ2h6YHxHpnCAhIVH2sSHSm38e9o
CSniCZp+tsAzDfLnPiefNP345P+eMLZsfDxB4Oo0RohTJHMtBc9TBAZvrgP7MAHj
K502zJIhIWuFduSNQceWMgR73fy2dlHSEHdV45pW0VXIyo8qvRA27wu7Sk5g/fto
MViITL+84jIUFJp3jxTflVYvu0GU4EKRBT66hVNazoI9fi2WeCxaZUnfweWFg/0n
OrdEhcVlXDlnVLHNxlHmxaoL5LGyDxmysI5QsRWXKxtn2sraHH1uwYsANBKPYiMu
zvrkLYqfObznJQd5F61dWFn4l9gyxZJuiWR/dIitWo7+Zbq54MzHhAQ0EvNVwBLy
/sWTN4YdcxkykXITLDtJmZOYboVC3R5cw7r1tD55+J2vgV2cUTvTt/NgYZclC7ta
/QpsMcl77IFeRYjjq16GVvUSq2a6rMRR0HvQPaGDe7m3QPhKA8OfWZphk7vJbGlD
9udNXAKmvaSO6CagfGf53TCGI3POf51XQe++HC6gGD4cDwRHxQFDk4PeCb9wCbxG
ip2eQOZs4Yqh5nl5If9F
=piqn
-----END PGP SIGNATURE-----

--- End Message ---

Bug#551907: marked as done (mandos-client adds unnecessary files to initrd)

Reply via email to