Bug#429736: world readable passwords in /var/cache/debconf/config.dat
Stefano Zacchiroli
zack at debian.org
Tue Jun 19 20:28:05 UTC 2007
Package: zope-debhelper
Version: 0.3.9
Severity: grave
Tags: security
The maintainer scripts generated by zope-debhelper leave passwords in
/var/cache/debconf/config.dat. Passwords are therefor world readable by
any user of the system. Tagging this bug a security since this is a
local privilege escalation: users can access instances as the
administrator user.
As an example this is what I can read in the above mentioned file right
now:
Name: zenoss/admin-automatic-password
Template: zope-common/admin-automatic-password
Value:
Owners: zenoss
Flags: seen
Variables:
instance = zenoss
password = ec298e16
user = admin
zver = 2.9
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.21-1-686 (SMP w/1 CPU core)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages zope-debhelper depends on:
ii debhelper 5.0.50 helper programs for debian/rules
ii perl 5.8.8-7 Larry Wall's Practical Extraction
zope-debhelper recommends no packages.
-- no debconf information
More information about the pkg-zope-developers
mailing list