Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 196834 (CVE-2007-5626) - app-backup/bacula <2.4.1 mySQL password disclosure (CVE-2007-5626)
Summary: app-backup/bacula <2.4.1 mySQL password disclosure (CVE-2007-5626)
Status: RESOLVED FIXED
Alias: CVE-2007-5626
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/27243/
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2007-10-23 20:24 UTC by Robert Buchholz (RETIRED)
Modified: 2008-07-24 15:02 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2007-10-23 20:24:01 UTC
CVE-2007-5626 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5626):
  make_catalog_backup in Bacula 2.2.5, and probably earlier, sends a MySQL
  password as a command line argument, and sometimes transmits cleartext e-mail
  containing this command line, which allows context-dependent attackers to
  obtain the password by listing the process and its arguments, or by sniffing
  the network.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-10-23 20:27:35 UTC
From http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=446809:

From: "Dan Langille" <dan@langille.org>
To: 446809@bugs.debian.org
Subject: isse documented in 2005
Date: Tue, 23 Oct 2007 11:11:48 -0400

Note: this issue has been documented since 2005:

http://www.bacula.org/rel-manual/Bacula_Security_Issues.html

"Be aware that if you are backing up your database using the default 
script, if you have a password on your database, it will be passed as 
a command line option to that script, and any user will be able to 
see this information. If you want it to be secure, you will need to 
pass it by an environment variable or a secure file."
...
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2007-10-23 20:28:51 UTC
Backup, Wolfram - please advise.
Comment 3 Wolfram Schlich (RETIRED) gentoo-dev 2007-10-24 16:19:19 UTC
Nobody should use that dumb script :)

I am using this Job myself to backup the catalog:
--8<--
# Backup the catalog database (after the nightly save)
Job {
        Enabled = yes
        Name = "BackupCatalog"
        Type = Backup
        Client = prometheus-fd
        Level = Full
        FileSet = "Catalog"
        Storage = "File"
        Pool = "DefaultPool"
        Schedule = "WeeklyCycleAfterBackup"
        Messages = Standard
        RunBeforeJob = "mysqldump --defaults-file=/etc/bacula/my.cnf --opt -f -r /var/lib/bacula/bacula.sql bacula"
        RunAfterJob  = "rm -f /var/lib/bacula/bacula.sql"
        Write Bootstrap = "/var/lib/bacula/BackupCatalog.bsr"
        Priority = 11 # run after backups which have a priority of 10
}
--8<--
As you can see from the RunBeforeJob, the mysqldump is using
the custom defaults file /etc/bacula/my.cnf which contains
the relevant authentication data.
Maybe we should advise the users from pkg_postinst() to do
it that way...
It's not difficult to write a custom catalog backup wrapper
script that takes care of secure password handling IMHO.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2007-10-24 22:20:41 UTC
(In reply to comment #3)
> It's not difficult to write a custom catalog backup wrapper
> script that takes care of secure password handling IMHO.

Is it possible not to install that file? The problem is that if a packages installs it, users might trust it. If you have a good script, why not include that one? Also, the debian bug referenced above has a patch for the script.

Either of the three options sounds better than blindly installing that script.
Comment 5 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-12-08 23:50:46 UTC
Any news here? Wolfram, what do you suggest?
Comment 6 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-05-05 21:18:52 UTC
(In reply to comment #5)
> Any news here? Wolfram, what do you suggest?
> 

*ping*
Comment 7 Matthias Geerdsen (RETIRED) gentoo-dev 2008-06-17 12:06:22 UTC
what is the status on this one???
Comment 8 Wolfram Schlich (RETIRED) gentoo-dev 2008-06-17 15:22:24 UTC
(In reply to comment #4)
> (In reply to comment #3)
> > It's not difficult to write a custom catalog backup wrapper
> > script that takes care of secure password handling IMHO.
> 
> Is it possible not to install that file? The problem is that if a packages
> installs it, users might trust it. If you have a good script, why not include
> that one? Also, the debian bug referenced above has a patch for the script.
> 
> Either of the three options sounds better than blindly installing that script.

Well, the bundled script works for several database types
(mysql, pgsql, sqlite) whereas what I posted only works
for mysql.

Personally I do not want to skip installing that file (I'd
have to patch the default configs as well).
I consider that script as an _example_, nothing more (yes,
I know that it's "enabled" by default).
If a user *wants* to use that script without modification,
it's his decision.

I'd like to warn the user from pkg_postinst() instead.
Anyone blindly using such complex applications is
simply wrong IMHO.
Comment 9 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-07-06 17:58:45 UTC
 > I'd like to warn the user from pkg_postinst() instead.
> Anyone blindly using such complex applications is
> simply wrong IMHO.
> 

Sounds like an acceptable solution. could you please provide an updated ebuild?
Comment 10 Wolfram Schlich (RETIRED) gentoo-dev 2008-07-09 09:17:37 UTC
(In reply to comment #9)
>  > I'd like to warn the user from pkg_postinst() instead.
> > Anyone blindly using such complex applications is
> > simply wrong IMHO.
> 
> Sounds like an acceptable solution. could you please provide an updated ebuild?

I just added this to 2.4.0-r1 (which I did not commit yet) -- what do
you think?

 * *** ATTENTION! IMPORTANT! ATTENTION! IMPORTANT! ATTENTION! IMPORTANT! ***
 *
 * The bundled catalog backup script (/usr/libexec/bacula/make_catalog_backup)
 * is INSECURE. The script needs to be called with the database access password
 * as a command line parameter, thus, the password can be seen from any other
 * user on the system (if not using some non-default hardened/patched kernel
 * with /proc restrictions)!
 *
 * Our advice is to NOT USE the bundled script at all, but instead use something
 * like this in your catalog backup job definition (example using MySQL as the
 * catalog database):
 *
 * RunBeforeJob = "mysqldump --defaults-file=/etc/bacula/my.cnf --opt -f -r /var/lib/bacula/bacula.sql bacula"
 * RunAfterJob  = "rm -f /var/lib/bacula/bacula.sql"
 *
 * This requires you to put all database access parameters (like user, host and
 * password) into a dedicated file (/etc/bacula/my.cnf in this example) which
 * can (and should!) be secured by simple filesystem access permissions.
 *
 * *** ATTENTION! IMPORTANT! ATTENTION! IMPORTANT! ATTENTION! IMPORTANT! ***
Comment 11 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-07-09 11:35:28 UTC
looks ok to me. security, any opinions? 
wolfram: if no one objects in the next few days, I think you can commit it.
Comment 12 Wolfram Schlich (RETIRED) gentoo-dev 2008-07-10 19:45:17 UTC
I'm about to commit 2.4.1 which has that security warning...
Comment 13 Wolfram Schlich (RETIRED) gentoo-dev 2008-07-11 08:38:51 UTC
Committed 2.4.1 incorporating the warning.
Comment 14 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-07-11 09:42:50 UTC
thanks.
Arches, please test and mark stable app-backup/bacula-2.4.1. Target KEYWORDS: "~amd64 hppa ppc sparc x86"
Comment 15 Ferris McCormick (RETIRED) gentoo-dev 2008-07-11 13:16:37 UTC
Sparc stable, everything as expected. Active USE flags for this build:
X bacula-console doc mysql python qt4 readline ssl tcpd
Comment 16 Tobias Scherbaum (RETIRED) gentoo-dev 2008-07-13 17:59:44 UTC
ppc stable
Comment 17 Jeroen Roovers (RETIRED) gentoo-dev 2008-07-14 00:18:56 UTC
Stable for HPPA.
Comment 18 Dawid Węgliński (RETIRED) gentoo-dev 2008-07-14 01:55:46 UTC
Any reason you missed amd64 here?
Comment 19 Christian Faulhammer (RETIRED) gentoo-dev 2008-07-14 07:39:54 UTC
x86 stable
Comment 20 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-07-14 09:12:14 UTC
(In reply to comment #18)
> Any reason you missed amd64 here?
> 

Yep, AFAICT there were no previous stable version. if you want it stable on amd64, you'll have to open a new bug. All arches done, time for GLSA decision. I vote YES.
Comment 21 Tobias Heinlein (RETIRED) gentoo-dev 2008-07-15 10:41:42 UTC
YES for sure, filing request.
Comment 22 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-07-21 18:08:11 UTC
GLSA 200807-10, sorry for the delay.
Comment 23 John M. Drescher 2008-07-24 15:02:38 UTC
I assume this effects postgresql as well.