[debian-mysql] Bug#438375: /usr/bin/mysqlreport: shows password as clear text on the console (not hidden)
Martin Weis
martin.weis.newsadress at gmx.de
Thu Aug 16 12:51:33 UTC 2007
Package: mysql-client-5.0
Version: 5.0.32-7etch1
Severity: normal
File: /usr/bin/mysqlreport
Bugreport: mysqlreport
# mysqlreport v2.5 Sep 1 2006
I found that the script does not hide the password in the interactive
password dialog, this is a security flaw and should be changed.
To reproduce type
mysqlreport --password
I think the following lines are responsible, but am not fit enough in
Perl to change this.
# line 78ff:
if(exists $op{'password'})
{
if($op{'password'} eq '') # Prompt for password
{
Term::ReadKey::ReadMode(2) if $RK;
print "Password for database user $mycnf{'user'}: ";
chomp($mycnf{'pass'} = <STDIN>);
Term::ReadKey::ReadMode(0), print "\n" if $RK;
}
else { $mycnf{'pass'} = $op{'password'}; } # Use password given on
command line
}
I reported this bug also to
http://hackmysql.com/feedback
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-686
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Versions of packages mysql-client-5.0 depends on:
ii debianutils 2.17 Miscellaneous utilities
specific t
ii libc6 2.3.6.ds1-13 GNU C Library: Shared libraries
ii libdbd-mysql-perl 3.0008-1 A Perl5 database interface
to the
ii libdbi-perl 1.53-1 Perl5 database interface by
Tim Bu
ii libgcc1 1:4.1.1-21 GCC support library
ii libmysqlclient15off 5.0.32-7etch1 mysql database client library
ii libncurses5 5.5-5 Shared libraries for
terminal hand
ii libreadline5 5.2-2 GNU readline and history
libraries
ii libstdc++6 4.1.1-21 The GNU Standard C++ Library v3
ii libwrap0 7.6.dbs-13 Wietse Venema's TCP
wrappers libra
ii mysql-common 5.0.32-7etch1 mysql database common files
(e.g.
ii perl 5.8.8-7 Larry Wall's Practical
Extraction
ii zlib1g 1:1.2.3-13 compression library - runtime
mysql-client-5.0 recommends no packages.
-- no debconf information
Thanks to you all,
--
Martin Weis
PGP-Key: http://datenroulette.de/pgp.php
More information about the pkg-mysql-maint
mailing list