[debian-mysql] Bug#438375: /usr/bin/mysqlreport: shows password as clear text on the console (not hidden)

Martin Weis martin.weis.newsadress at gmx.de
Thu Aug 16 12:51:33 UTC 2007


Package: mysql-client-5.0
Version: 5.0.32-7etch1
Severity: normal
File: /usr/bin/mysqlreport


Bugreport: mysqlreport
# mysqlreport v2.5 Sep 1 2006

I found that the script does not hide the password in the interactive
password dialog, this is a security flaw and should be changed.
To reproduce type
mysqlreport --password

I think the following lines are responsible, but am not fit enough in
Perl to change this.

# line 78ff:
if(exists $op{'password'})
{
   if($op{'password'} eq '') # Prompt for password
   {
      Term::ReadKey::ReadMode(2) if $RK;
      print "Password for database user $mycnf{'user'}: ";
      chomp($mycnf{'pass'} = <STDIN>);
      Term::ReadKey::ReadMode(0), print "\n" if $RK;
   }
   else { $mycnf{'pass'} = $op{'password'}; } # Use password given on
command line
}

I reported this bug also to
http://hackmysql.com/feedback

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-686
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)

Versions of packages mysql-client-5.0 depends on:
ii  debianutils                2.17          Miscellaneous utilities
specific t
ii  libc6                      2.3.6.ds1-13  GNU C Library: Shared libraries
ii  libdbd-mysql-perl          3.0008-1      A Perl5 database interface
to the
ii  libdbi-perl                1.53-1        Perl5 database interface by
Tim Bu
ii  libgcc1                    1:4.1.1-21    GCC support library
ii  libmysqlclient15off        5.0.32-7etch1 mysql database client library
ii  libncurses5                5.5-5         Shared libraries for
terminal hand
ii  libreadline5               5.2-2         GNU readline and history
libraries
ii  libstdc++6                 4.1.1-21      The GNU Standard C++ Library v3
ii  libwrap0                   7.6.dbs-13    Wietse Venema's TCP
wrappers libra
ii  mysql-common               5.0.32-7etch1 mysql database common files
(e.g.
ii  perl                       5.8.8-7       Larry Wall's Practical
Extraction
ii  zlib1g                     1:1.2.3-13    compression library - runtime

mysql-client-5.0 recommends no packages.

-- no debconf information

Thanks to you all,
-- 
Martin Weis
PGP-Key: http://datenroulette.de/pgp.php




More information about the pkg-mysql-maint mailing list