Huge security problem with Breezy
Vayu
vayu at sklinks.com
Mon Mar 13 05:43:01 UTC 2006
On Sunday 12 March 2006 20:55, Howard Coles Jr. wrote:
> On Sunday 12 March 2006 21:19, Mike Hudson wrote:
> > I apologize if this is not the right forum for this issue, but I
> > think it's pretty important -- Every Ubuntu user should be warned.
> >
> > http://www.ubuntuforums.org/showthread.php?t=143334
> >
> > Users have reported Breezy Kubuntu and Ubuntu both have this problem.
> >
> > Users report that the password they created when they installed
> > Breezy Ubuntu/Kubuntu is in plain text in the file below:
> > /var/log/installer/cdebconf/questions.dat
> >
> > The file is world readable, so anybody that could log in locally,
> > remotely, or put executable script files on your Ubuntu/Kubuntu box
> > could have read your password.
> >
> > Make sure to delete this file as soon as possible, and change your
> > password.
> >
> > I imagine that this would only affect you if you installed from
> > Breezy. If you installed from Hoary and upgraded to Breezy, you
> > probably wouldn't have the problem.
>
> Whoa! I'm glad someone caught this!! I found my extra user password in the
> file! This bites. Why would this file be kept around, or why would it be
> storing password prompt info at all, much less as clear text?!?
>
> --
How it happened is in the above thread.
It is a serious bug. It is serious for those that their machines have exposure
to the outside world and/or other users that are not trustworthy. In other
words single desktop users should not be concerned. In all cases the fix is
really easy. Change your password. It is only keeping the original install
user password. Those with security needs who know what they're doing will
have changed their passwords regularly and would not have been affected by
this at all.
Other points to note: This only affects those who started with a fresh install
of Breezy. Machines upgraded to Breezy from prior releases (and even beta
versions of Breezy) are not affected. Dapper (which is not a release product
anyway) is not affected unless it was upgraded from a machine that had a
fresh install of Breezy to start with.
Another point to note is that this problem was solved and a patch issued
within hours of it's discovery. For all machines except those where the
default upgrade option has been disabled, the patch will be presented the
very next time the machine boots up.
The Ubuntu/Kubuntu team has been doing an outstanding job, has won much
recognition throughout the computing community and has become one of the
premier Linux distributions. I believe their immediate resolution of this
problem reflects on the quality and commitment of that team. if you don't
crash and crash hard then you're not out there doing it.
In a time when I'm sure there will be many who are critical I would like to
say thank you to the Ubuntu team for a truly amazing gift.
More information about the kubuntu-users
mailing list