package: debian-edu-config
severity: important
version: squeeze/r0
spaces need adequate quoting of the password variable in both gosa-sync
and gosa.conf.
It is also very likely a security hazard in letting the user-supplied
password string unquoted in those two files, whence
Petter Reinholdtsen a écrit, le 24/03/2012 23:52:
The GOsa-Kerberos sync script is from debian-edu-config, see
/usr/share/debian-edu-config/tools/gosa-sync.
thanks, I noticed $USERPASSWD was not quoted in this file, and neither
in /etc/gosa/gosa.conf, and this very likely allows users to run
tags 665696 + pending
thanks
[Samuel Krempp]
following patch just adds the quoting, and was verified to fix the
issue.
Thank you. I have commited the fix to svn.
--
Happy hacking
Petter Reinholdtsen
--
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of
Processing commands for cont...@bugs.debian.org:
tags 665696 + pending
Bug #665696 [debian-edu-config] gosa-sync breaks on passwords containing spaces
Added tag(s) pending.
thanks
Stopping processing here.
Please contact me if you need assistance.
--
665696:
Samuel Krempp a écrit, le 25/03/2012 10:12:
I wonder if quotes could also be used to run exploits through the
password ?
I just tried some engineered password, and well, yes, userpassword needs
more escaping. Let's hope the mom of little bobby tables won't also pick
a smart password :-)
[Petter Reinholdtsen]
I was told on IRC by the bug reporter, bammes, that his installation
worked when he did not use characters like * and # in the password.
This made me check the code to see if the root and first user
password are properly quoted in the source. The attached patch fix
a
Petter Reinholdtsen a écrit, le 25/03/2012 10:45:
tags 665696 + pending
thanks
[Samuel Krempp]
following patch just adds the quoting, and was verified to fix the
issue.
Thank you. I have commited the fix to svn.
the issue remains for other special characters, at least quotes. But the
Samuel Krempp a écrit, le 25/03/2012 11:41:
I see GOsa devs noticed the security issue 19 months ago :
https://oss.gonicus.de/labs/gosa/ticket/1026
Additionally the script parameter are not escaped right now, somebody
could do nasty thing with it. I will have a look at this too.
How serious is
I have to change my pwd first to update the expiration date after your
fix:
root@tjener:~# kadmin.local -q modpol -maxlife 0secs users
Authenticating as principal root/admin@INTERN with password.
root@tjener:~# echo getprinc berham |kadmin.local |grep -i passw
Authenticating as principal
It is not a bug,
it is a feature of kerberos, I think.
Regards
Giorgio
On Sun, Mar 25, 2012 at 12:24:33PM +0200, Bernhard Hammes wrote:
I have to change my pwd first to update the expiration date after your
fix:
root@tjener:~# kadmin.local -q modpol -maxlife 0secs users
Authenticating as
Accepted:
debian-edu-config-gosa-netgroups_1.454~svn77170_all.deb
to
pool/local/d/debian-edu-config/debian-edu-config-gosa-netgroups_1.454~svn77170_all.deb
debian-edu-config_1.454~svn77170.dsc
to pool/local/d/debian-edu-config/debian-edu-config_1.454~svn77170.dsc
Hi,
Since debconf-set/get-selections have no mechanism for quoting,
introducing one could break applications that already expect to set
values with chars such as: ' \
So instead, perhaps change the behaviour of debconf-get-selections to
treat # to denote a comment, only if it appears on the
Ahah!
Joey Hess already committed a fix for this issue in Wheezy:
http://anonscm.debian.org/gitweb/?p=debconf/debconf.git;a=commitdiff;h=59a0a653cbe1b8f4cb63849847f47e4043ec7fdc
But if Debian Edu needs this fixed in Squeeze, my previous patch would
be the least obtrusive diff. (The code has
Accepted:
debian-edu-config-gosa-netgroups_1.454~svn77182_all.deb
to
pool/local/d/debian-edu-config/debian-edu-config-gosa-netgroups_1.454~svn77182_all.deb
debian-edu-config_1.454~svn77182.dsc
to pool/local/d/debian-edu-config/debian-edu-config_1.454~svn77182.dsc
tags 664976 + pending
thanks
[Petter Reinholdtsen]
I've uploaded code to add quotes to
squeeze-test, but the problem with # is unsolved. I hope this will
avoid the hang. It will still set the wrong password. :(
I can confirm that the hang disappeared by quoting the passwords
properly in
Processing commands for cont...@bugs.debian.org:
tags 664976 + pending
Bug #664976 [debian-edu-config] debian-edu-config: installer hang during
debian-edu-profile run at the end
Added tag(s) pending.
thanks
Stopping processing here.
Please contact me if you need assistance.
--
664976:
package debconf
tags 636219 + patch squeeze
reopen 589519 =
severity 589519 important
merge 589519 636219
found debconf/1.5.36.1
found debconf/1.5.38
fixed debconf/1.5.39
thanks
Hi,
I'm merging this with an older bug report about the same issue. I'm
reopening that and tagging as 'squeeze'
Processing commands for cont...@bugs.debian.org:
block 664976 by 589519
Bug #664976 [debian-edu-config] debian-edu-config: installer hang during
debian-edu-profile run at the end
664976 was blocked by: 636219
664976 was not blocking any bugs.
Added blocking bug(s) of 664976: 589519
merge
18 matches
Mail list logo