198473 2007-11-08 18:04 0000 app-backup/sarab < 0.2.4 unveils keyphrase via simple 'ps' or 'top' while running (CVE-2008-2517) 2008-06-03 22:52:11 0000 1 1 1 Unclassified Gentoo Security Default Configs unspecified All Linux RESOLVED FIXED http://secunia.com/advisories/30394/ B3 [ebuild] P2 minor --- 212048 1 axel.privat@web.de security@gentoo.org app-backup@gentoo.org maintainer-needed@gentoo.org matsuu@gentoo.org axel.privat@web.de 2007-11-08 18:04:34 0000 The way the Gentoo scripts configure sarab (which in turn feeds dar) makes any user-configured keyphrases visible to everybody with shell access. Reproducible: Always Steps to Reproduce: 1. set encryption options including keyphrase in /etc/sarab.conf 2. run a non-trivial backup, so dar is running a few seconds 3. call 'ps --aux' as any user to read confidential keyphrase from shell It is absolutely trivial to fix this problem by e.g. outsourcing the encryption settings to a third file and include this file via sarab's command line option (and dar's respectively): '--batch' A call to 'top' or 'ps' would in that case only show where the password is stored, instead of unveiling the keyphrase directly. rbu@gentoo.org 2007-11-09 09:43:08 0000 App-backup, the application is in your category, but maintainer-needed. Can you advise on this? robbat2@gentoo.org 2007-11-09 09:52:14 0000 security: It's an old package that mkennedy maintained before he retired. No upstream releases for a couple of years, but from what I'm told, it's still very applicable to the tree. Matsuu maintains DAR, so he might have some insights. axel.privat: could you please attach a patch that implements what you describe? axel.privat@web.de 2007-11-10 19:35:20 0000 Created an attachment (id=135665) let dar read encryption options from file sarab.crypt instead of command line axel.privat@web.de 2007-11-10 19:37:20 0000 Created an attachment (id=135667) new file /etc/sarab/sarab.crypt containing encryption options axel.privat@web.de 2007-11-10 19:43:54 0000 Outsourcing the encryption options to a file that is to be read by dar alters the command line in a way that prevents the keyphrase from beeing exposed. The above patches work for me, hope it helps others, too. Please let me know if the patch cannot be applied (it's the first time I tried to create a patch file) -- I'd like to see the sarab package stay around for a while as it works just as advertised. :) axel.privat@web.de 2007-11-10 19:46:19 0000 Created an attachment (id=135668) let dar read encryption options from file sarab.crypt instead of command line fixed comment axel.privat@web.de 2007-11-10 19:55:52 0000 ...forgot to say that, of course, the file sarab.crypt must have the same restrictive permissions as the file sarab.conf: > chmod 600 sarab.crypt py@gentoo.org 2007-11-13 19:09:07 0000 app-backup, does the patch seem ok? If yes, please provide an updated ebuild. py@gentoo.org 2007-12-08 23:55:03 0000 (In reply to comment #8) > app-backup, does the patch seem ok? If yes, please provide an updated ebuild. > *ping* py@gentoo.org 2008-05-11 13:41:29 0000 (In reply to comment #9) > (In reply to comment #8) > > app-backup, does the patch seem ok? If yes, please provide an updated ebuild. > > > > *ping* > ... timeout :( could someone please apply the patches so that we can move forward? thanks. rbu@gentoo.org 2008-05-12 19:39:11 0000 0.2.3 is released, and it has included a new password mechanism. From my understanding, it's vulnerable to the same issue. I contacted upstream to work out a solution, because from what I understand, the solution posted here has drawbacks in terms of "testing" backups. I'll report back whenever I have a reply and hopefully bump the package. py@gentoo.org 2008-06-01 18:10:36 0000 0.2.4 has been released. rbu, feel like bumping it? rbu@gentoo.org 2008-06-01 18:59:34 0000 Right, upstream was very helpful via private mail. I wanted to review the code changes before bumping it though, hopefully soon. rbu@gentoo.org 2008-06-03 22:52:11 0000 *sarab-0.2.4 (03 Jun 2008) 03 Jun 2008; Robert Buchholz <rbu@gentoo.org> -files/0.2.2-fix-rotation-gentoo.patch, -files/0.2.2-test-with-encryption-gentoo.patch, -files/0.2.2-refname-calculation-gentoo.patch, +files/0.2.4-better-defaults-gentoo.patch, -files/0.2.2-better-defaults-gentoo.patch, files/README.Gentoo, -sarab-0.2.2-r1.ebuild, -sarab-0.2.2-r2.ebuild, +sarab-0.2.4.ebuild: Version bump, fixes security bug #198473 (CVE-2008-2517), DAR encryption passwords were visible to local users via ps. Also introduces support for newer versions of DAR (bug #212048). 135665 2007-11-10 19:35 0000 let dar read encryption options from file sarab.crypt instead of command line sarab.conf.patch text/plain LS0tIHNhcmFiLmNvbmYJMjAwNy0xMS0xMCAxNjoyNjo1Ny4wMDAwMDAwMDAgKzAxMDAKKysrIHNh cmFiLmNvbmYJMjAwNy0xMS0xMCAxNTo1Nzo1MS4wMDAwMDAwMDAgKzAxMDAKQEAgLTU1LDExICs1 NSw5IEBAIExPR19GSUxFPSIvdmFyL2xvZy9zYXJhYi5sb2ciCiAjIERlZmF1bHQ9Im5vIgogU0FS QUJfVkVSQk9TRT0ibm8iCiAKLSMgSWYgbm9uLWVtcHR5LCBEQVJfRU5DUllQVElPTl9PUFRJT05T IGNvbnRhaW5zIHRoZSBjaXBoZXIgb3B0aW9ucyBhbmQga2V5IHRvIGJlCi0jIHVzZWQgdG8gZW5j cnlwdCB0aGUgYmFja3Vwcy4gIFNlZSB0aGUgZGFyKDEpIG1hbnVhbCBmb3IgYSBkZXNjcmlwdGlv biBvZiB3aGF0Ci0jIGlzIHBvc3NpYmxlLgotIyBlZy4gREFSX0VOQ1JZUFRJT05fT1BUSU9OUz0i LS1jcnlwdG8tYmxvY2sgMjA0ODAgLS1rZXkgYmxvd2Zpc2g6TXlfQ29tcGxlWF9rZXlfMTIzIgot REFSX0VOQ1JZUFRJT05fT1BUSU9OUz0iIgorIyBQbGVhc2UgZWRpdCBlbmNyeXB0aW9uIG9wdGlv bnMgaW4gL2V0Yy9zYXJhYi5jcnlwdAorIyBjZi4gYnVnIHJlcG9ydCAjMTk4NDczCitEQVJfRU5D UllQVElPTl9PUFRJT05TPSItLWJhdGNoIC9ldGMvc2FyYWIvc2FyYWIuY3J5cHQiCiAKICMjIyMj IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj IyMjIwogIyBETyBOT1QgRURJVCBCRUxPVyBUSElTIExJTkUgVU5MRVNTIFlPVSBLTk9XIFdIQVQg WU9VIEFSRSBET0lORyAjCg== 135667 2007-11-10 19:37 0000 new file /etc/sarab/sarab.crypt containing encryption options sarab.crypt text/plain IyBJZiBub24tZW1wdHksIERBUl9FTkNSWVBUSU9OX09QVElPTlMgY29udGFpbnMgdGhlIGNpcGhl ciBvcHRpb25zIGFuZCBrZXkgdG8gYmUKIyB1c2VkIHRvIGVuY3J5cHQgdGhlIGJhY2t1cHMuICBT ZWUgdGhlIGRhcigxKSBtYW51YWwgZm9yIGEgZGVzY3JpcHRpb24gb2Ygd2hhdAojIGlzIHBvc3Np YmxlLgojIGVnLjoKIyAtLWNyeXB0by1ibG9jayAyMDQ4MCAtLWtleSBibG93ZmlzaDpNeV9Db21w bGVYX2tleV8xMjMgLS1rZXktcmVmIGJsb3dmaXNoOk15X0NvbXBsZVhfa2V5XzEyMwo= 135668 2007-11-10 19:46 0000 let dar read encryption options from file sarab.crypt instead of command line sarab.conf.patch text/plain LS0tIHNhcmFiLmNvbmYJMjAwNy0xMS0xMCAxNjoyNjo1Ny4wMDAwMDAwMDAgKzAxMDAKKysrIHNh cmFiLmNvbmYJMjAwNy0xMS0xMCAxNTo1Nzo1MS4wMDAwMDAwMDAgKzAxMDAKQEAgLTU1LDExICs1 NSw5IEBAIExPR19GSUxFPSIvdmFyL2xvZy9zYXJhYi5sb2ciCiAjIERlZmF1bHQ9Im5vIgogU0FS QUJfVkVSQk9TRT0ibm8iCiAKLSMgSWYgbm9uLWVtcHR5LCBEQVJfRU5DUllQVElPTl9PUFRJT05T IGNvbnRhaW5zIHRoZSBjaXBoZXIgb3B0aW9ucyBhbmQga2V5IHRvIGJlCi0jIHVzZWQgdG8gZW5j cnlwdCB0aGUgYmFja3Vwcy4gIFNlZSB0aGUgZGFyKDEpIG1hbnVhbCBmb3IgYSBkZXNjcmlwdGlv biBvZiB3aGF0Ci0jIGlzIHBvc3NpYmxlLgotIyBlZy4gREFSX0VOQ1JZUFRJT05fT1BUSU9OUz0i LS1jcnlwdG8tYmxvY2sgMjA0ODAgLS1rZXkgYmxvd2Zpc2g6TXlfQ29tcGxlWF9rZXlfMTIzIgot REFSX0VOQ1JZUFRJT05fT1BUSU9OUz0iIgorIyBQbGVhc2UgZWRpdCBlbmNyeXB0aW9uIG9wdGlv bnMgaW4gL2V0Yy9zYXJhYi9zYXJhYi5jcnlwdAorIyBjZi4gYnVnIHJlcG9ydCAjMTk4NDczCitE QVJfRU5DUllQVElPTl9PUFRJT05TPSItLWJhdGNoIC9ldGMvc2FyYWIvc2FyYWIuY3J5cHQiCiAK ICMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj IyMjIyMjIyMjIwogIyBETyBOT1QgRURJVCBCRUxPVyBUSElTIExJTkUgVU5MRVNTIFlPVSBLTk9X IFdIQVQgWU9VIEFSRSBET0lORyAjCg==