*** This bug is a security vulnerability ***
You have been subscribed to a public security bug by Jamie Strandboge
(jdstrand):
Binary package hint: mythtv
Mysql passwords are leaked on the command line, visible by any local
user running "ps".
See:
./debian/mythtv-database.config: while ! echo "show databases;" |
mysql --host="$HOST" --user="$USER" --password="$PASSWORD" >/dev/null 2>&1; do
./mythplugins/mythvideo/contrib/videometadata: echo "UPDATE videometadata
SET coverfile=\"$THUMB_PATH\" WHERE filename=\"${DATEI}\" ;" | mysql -u $USER
--password=$PASSW -D $DATABASE -h $HOST
./mythplugins/mythvideo/contrib/videometadata: echo "UPDATE videometadata
SET coverfile=\"$THUMB_PATH\" WHERE filename=\"${DATEI}\" ;" | mysql -u $USER
--password=$PASSW -D $DATABASE -h $HOST
./mythplugins/mythvideo/contrib/videometadata:echo "UPDATE videometadata SET
showlevel=$SHOWLEVEL WHERE filename LIKE '$RATED_DIR/%' ;" | mysql -u $USER
--password=$PASSW -D $DATABASE -h $HOST
and
./debian/mythtv-database.postinst: mysql $SECURITY_INFO $database
./debian/mythtv-database.postinst: mysql $SECURITY_INFO "$database"
>/dev/null 2>&1; then
./debian/mythtv-database.postinst: mysql $SECURITY_INFO "$database"
>/dev/null 2>&1; then
./debian/mythtv-database.postinst: SECURITY_INFO="--host=\"$hostname\"
--user=\"$admin_username\" $admin_password"
./debian/mythtv-database.postinst: mysql $SECURITY_INFO "$database"
>/dev/null 2>&1; then
./debian/mythtv-database.postinst: mysql $SECURITY_INFO "$database"
>/dev/null 2>&1; then
./debian/mythtv-database.postinst:
SECURITY_INFO="--defaults-file=/etc/mysql/debian.cnf"
./debian/mythtv-database.postinst: SECURITY_INFO="--host=\"$hostname\"
--user=\"$admin_username\" $admin_password"
./debian/mythtv-database.postinst: if ! echo "SELECT NULL;" | mysql
$SECURITY_INFO "$database" >/dev/null 2>&1; then
./debian/mythtv-database.postinst: while ! echo "CREATE DATABASE
$database;" | mysql $SECURITY_INFO ; do
./debian/mythtv-database.postinst: if ! echo "SELECT value FROM settings
LIMIT 1, 1;" | mysql $SECURITY_INFO "$database" >/dev/null 2>&1; then
The proper fix is to use a --defaults-file containing the password, per:
*
http://dev.mysql.com/doc/refman/5.1/en/option-files.html#option_general_defaults-file
** Affects: mythtv (Ubuntu)
Importance: Undecided
Status: New
--
passwords leaked on command line
https://bugs.launchpad.net/bugs/789356
You received this bug notification because you are a member of Ubuntu Bugs,
which is a direct subscriber.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
