Bug#555680: System information in bug reports may be security-sensitive

2009-11-19 Thread Stefan Lippers-Hollmann 
Hi

r14441 [1], hide wireless keys and wake-on-LAN password when including 
network configuration in bug reports (bug #555680).

It is unfortunately not enough to prune wireless-key from bugreports, as 
wpasupplicant defines additional means to configure passwords for wireless 
links[2], namely wpa-psk and wpa-password. Additionally I suggest to prune 
commented out lines as well, as these might contain passwords or other 
sensitive information and have no relevance for bugreporting.

The attached, valid, /etc/network/interfaces example illustrates the 
problem with these means of configuration. The following patch applies to
sid and trunk of linux-2.6 (r14649).

[1] 
http://svn.debian.org/viewsvn/kernel/dists/sid/linux-2.6/debian/templates/image.plain.bug/include-network?r1=14441r2=14597
[2] 
http://svn.debian.org/viewsvn/pkg-wpa/wpasupplicant/trunk/debian/README.Debian?view=markup

Signed-off-by: Stefan Lippers-Hollmann s@gmx.de

Index: debian/templates/image.plain.bug/include-network
===
--- debian/templates/image.plain.bug/include-network(revision 14649)
+++ debian/templates/image.plain.bug/include-network(working copy)
@@ -5,7 +5,10 @@
   echo '** Network interface configuration:' 3
   # Hide passwords/keys
   awk '$1 ~ /^wireless-key/ { gsub(., *, $2); }
+   $1 ~ /^wpa-psk/ { gsub(., *, $2); }
+   $1 ~ /^wpa-password/ { gsub(., *, $2); }
$1 == ethtool-wol { gsub(., *, $3); }
+   !/^\#/
{ print; }
   ' /etc/network/interfaces 3
   echo 3
# Used by ifup(8) and ifdown(8). See the interfaces(5) manpage or
# /usr/share/doc/ifupdown/examples for more information.

auto lo
iface lo inet loopback

allow-hotplug eth0
iface eth0 inet dhcp

allow-hotplug wlan0
iface wlan0 inet manual
wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf

iface linksys_aes inet dhcp
iface default inet dhcp

auto wlan1
iface wlan1 inet dhcp
wpa-ssid something
wpa-psk 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
#   wpa-psk 2123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef

auto wlan2
iface wlan2 inet dhcp
wpa-ssid somethingelse
wpa-password myplaintextpassword
#   wpa-password yourplaintextpassword

auto wlan3
iface wlan3 inet dhcp
wireless-essid somethingveryelse
wireless-key mypassword
#   wireless-key yourpassword

Bug#555680: [Secure-testing-team] Bug#555680: System information in bug reports may be security-sensitive

2009-11-12 Thread Yves-Alexis Perez 
On mer., 2009-11-11 at 02:34 +, Ben Hutchings wrote:
 The bug script now offers to include network configuration and status.
 The network configuration file /etc/network/interfaces may include
 encryption keys for wireless networks, which we should scrub.  There
 is also a more general problem of sensitive information in the kernel
 log, but I'm not sure what we can do about that.

Maybe add a big warning, a preview and a Y/N question about including
the script.

The thing is, if it defaults to N, a lot of people will just use “enter”
without caring much, and kernel team will receive a lot of useless
reports.

Cheers,
-- 
Yves-Alexis


signature.asc
Description: This is a digitally signed message part

Bug#555680: System information in bug reports may be security-sensitive

2009-11-10 Thread Ben Hutchings 
Package: linux-2.6
Version: 2.6.31-1
Severity: normal
Tags: security

The bug script now offers to include network configuration and status.
The network configuration file /etc/network/interfaces may include
encryption keys for wireless networks, which we should scrub.  There
is also a more general problem of sensitive information in the kernel
log, but I'm not sure what we can do about that.

Ben.

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (x86_64)

Kernel: Linux 2.6.31-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org