Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 29 May 2014 13:20:11 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: sos: /etc/fstab collected by sosreport,
 possibly containing passwords

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/29/2014 12:57 PM, Dolev Farhi wrote:
> I tend to agree with most of this actually, but since sosreport is
> there to collect information for troubleshooting issues only, then
> there is no actual reason not to remove the pw field of a mount in
> fstab, even though the file is world readable in the first place. I
> do agree that this widens the scope from Red Hats side especially
> while most of the time it would be close to impossible to prevent
> password disclosures in configuration files, especially when it
> depends on the random way a sysadmin alters config files. Best
> practice is to use the credentials option and point fstab to read
> the mount username and password from a file but there are multiple
> ways to achieve the same goal. I am not sure regarding the
> necessity of a CVE here, though I dont see much of a difference
> between this to any other password disclosures (such as grub.conf)
> discovered in sosreport in the past, except that fstab is world 
> readable. On both cases the problem is that this file is handled by
> 3rd parties.
> 
> Thanks
> 
> -- Dolev Farhi

So /etc/fstab is world readable, within that system. The file is then
being exported to Red Hat, we don't really need or want the password,
we also make an effort to sanitize the data sent, so if nothing else
this falls into the "intended/advertised security feature that failed"
and would qualify for a CVE as such as I understand things.


- -- 
Kurt Seifried - Red Hat - Product Security - Cloud stuff and such
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJTh4hrAAoJEBYNRVNeJnmTjYEP/2bPTxCVZW/3XZFu4cMeR47+
pPdOWOO2/InF0W2oVm8nCp5vlgh5qb+brBO32o74gaq27x6BQh0hnzhCsEcF0+rx
Eeg6vDIorvQ5iBNRHqYdCmzgAicTx7RRTGjAyXgQqdLh90mFrNEgA2WgFa0BOkHL
QfrCRWhZ1+KeCkPMURTGAulKBeEMAJxMMIGc3GC408R8jcBNDoFOVmGDC+tPI+Or
KvY4zBu8cf3VFNTGqhdvlJ4Hwu2X14BvaiisQqDLkb6IJX2OVT5vFue9TEZfQQjr
G7TQ1eZsuqh2rOngwJrlDDxSoyiClKclA5NraJUUL1kCJfSzAS4NxBjIpNWp94Hi
Bx7tXyoCuhk2RZHBusLnFH6j/TJUYgrkOvw8YujzIE6FtX2V66SiyrDKOH620IWZ
J105kcIUMop/x5LBQ3dxx+slTHxHQcmRMpu6aECPt28SgP335nXgbHhwLo12jN8a
NnUKPXbZKBXN1rRcb50DUJPw/5d2DI/j9GCqtNIqxRV/6JIq1/czJyGryyYVmBdL
EYF2HYzaeSBklTJha86JMxNRlyPoS1tSF437SvRwODLtH1lpGXVQNnkCAS2JdLZ9
O6rF2uFCsvbZMklDW/94NgiSlLSVPLfafrlKCBegQClYcOLm0mM81U2PLXcVwN/z
pp6kR35+xGtGkveF6gIg
=s9TQ
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.