[debian-mysql] Bug#711600: Insecure creation of the credential file debian.cnf
Salvatore Bonaccorso
carnil at debian.org
Sun Jun 9 07:29:06 UTC 2013
Control: severity -1 important
Control: retitle -1 mysql-server: CVE-2013-2162: Insecure creation of the credential file debian.cnf
Hi
On Sat, Jun 08, 2013 at 12:26:35PM +0200, vladz wrote:
> Package: mysql-server
> Version: 5.5.31+dfsg-0+wheezy1
> Tags: security
>
> The file "/etc/mysql/debian.cnf", which contains plain text credentials
> for the "debian-sys-maint" mysql user, is created in an insecure manner
> during the package installation phase. This can lead a non-privileged
> local user to disclose its content and use this special account to
> perform administration tasks.
>
> The file is created by the post-installation script:
>
> $ vim -c "set nu" mysql-5.5-5.5.31+dfsg/debian/mysql-server-5.5.postinst
> [...]
> 170 dc=$mysql_cfgdir/debian.cnf;
> [...]
> 176 cat /dev/null > $dc
> [...]
> 178 echo "[client]" >>$dc
> 179 echo "host = localhost" >>$dc
> 180 echo "user = debian-sys-maint" >>$dc
> 181 echo "password = $pass" >>$dc
> [...]
> 191 chown 0:0 $dc
> 192 chmod 0600 $dc
>
> There is a time lapse (between lines 176 and 191) where the file
> permissions are 644 (settled by the default umask). At this time, a
> user can open the file with the O_RDONLY flag and disclose its content
> even after the chmod is executed at line 192 (yes, the user's file
> descriptor won't be affected by this action).
>
> Anyway, I suggest to force a umask value to 077 before this file is
> created.
>
> I have a trivial PoC if needed.
A CVE id was assigned to this issue: CVE-2013-2162. When you fix this
issue please make sure to include the CVE in the changelog.
Regards,
Salvatore
More information about the pkg-mysql-maint
mailing list