Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 77731 - app-admin/webmin binary package contains sensitive info
Summary: app-admin/webmin binary package contains sensitive info
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa] koon
Keywords:
Depends on:
Blocks:
 
Reported: 2005-01-12 13:16 UTC by Tavis Ormandy (RETIRED)
Modified: 2005-02-11 13:08 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tavis Ormandy (RETIRED) gentoo-dev 2005-01-12 13:16:07 UTC
building a tbz2 of the webmin package contains the encrypted root password, as people often distribute these, probably a good idea to not include the `miniserv.users` file as part of the package.

You could comment out the part of setup.sh that creates the file and then create it yourself in pkg_postinst(), that way the file won't be part of the package.

(perhaps this bug affects usermin as well?)

A few quick google searches so at least a few people are distributing webmin tbz2's to the whole world! *ouch* :)
Comment 1 Jeremy Huddleston (RETIRED) gentoo-dev 2005-01-12 17:44:37 UTC
how does miniserv.users get the root password?  The tbz2 is generated in src_install as user portage who can't even read /etc/shaddow

Am I missing something?
Comment 2 Tavis Ormandy (RETIRED) gentoo-dev 2005-01-13 04:00:46 UTC
looks like it get's it from this line in the ebuild:

crypt=`grep "^root:" ${ROOT}/etc/shadow | cut -f 2 -d :`

perhaps you could just put some nonsense in there and then sed it out in pkg_postinst with the correct data? Although users who quickpkg it would still include the sensitive data..perhaps best to leave it out of the package altogether and create the file in pkg_postinst()?

src_install is run as root, i believe, otherwise it wouldnt be able to chown stuff...perhaps the userpriv feature changes that? I don't know it very well :)
Comment 3 Jeremy Huddleston (RETIRED) gentoo-dev 2005-01-13 05:20:23 UTC
packages affected -> replacements
=app-admin/webmin-1.170-r2 -> >=app-admin/webmin-1.170-r2

The affected package was removed since all the stable keywords were on my archs.

Not sure how you guys want to handle this as it's not wrong with installs but rather the binpkgs.

usermin isn't affected.
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-13 09:30:01 UTC
Thx everyone.

Both Koon and I vote for no GLSA on this one -> closing.
Comment 5 Jeremy Huddleston (RETIRED) gentoo-dev 2005-01-13 15:01:13 UTC
changing subject as usermin wasn't affected
Comment 6 solar (RETIRED) gentoo-dev 2005-02-06 12:20:01 UTC
I do not think we need a GLSA for this.
Comment 7 Tavis Ormandy (RETIRED) gentoo-dev 2005-02-06 12:46:22 UTC
regarding glsa, doesnt this qualify under the vulnerability treatment policy as "Global service compromise: denial of service, passwords or full database leaks", the webmin tbz2 would be world readable and these are often distributed by people to other users...these users need to know that their root password has been compromised (assuming the attacker knows how to use jtr).

Also, user action has to be taken to ensure security, ie actually removing the old tbz2..isnt that the point of security advisories? I found 2 users on the web who had these tbz2 accessible to the world, i let them know about this and advised them to change their pass :)

It's possible there are still packages with passwords in out there now (portage doesnt remove old ones!), I only spotted this as I was affected on a server i maintain, i know I would have liked to be informed that my root pass should be considered compromised?

according to gentoo-stats.org about 10% of systems have webmin installed.
Comment 8 Tavis Ormandy (RETIRED) gentoo-dev 2005-02-07 02:04:07 UTC
reopening regarding glsa issue
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-02-07 02:17:02 UTC
I tend to think now that Tavis is right, and we should issue a GLSA about it. I orginally thought it was quickpkg's fault (by design, it includes the files currently used on your filesystem), but here we had something in the ebuild that copied the root password over before the tbz2 was built (in the "buildpkg" feature or emerge -B), which is a clear ebuild flaw.

So I vote YES now :)
Comment 10 Kurt Lieber (RETIRED) gentoo-dev 2005-02-08 13:15:54 UTC
agree with koon.  think GLSA is needed.
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2005-02-08 13:37:23 UTC
I'll try to write the GLSA
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2005-02-11 13:08:21 UTC
GLSA 200502-12