Huge security problem with Breezy

Vayu vayu at sklinks.com
Mon Mar 13 05:43:01 UTC 2006 

On Sunday 12 March 2006 20:55, Howard Coles Jr. wrote:
> On Sunday 12 March 2006 21:19, Mike Hudson wrote:
> > I apologize if this is not the right forum for this issue, but I
> > think it's pretty important -- Every Ubuntu user should be warned.
> >
> > http://www.ubuntuforums.org/showthread.php?t=143334
> >
> > Users have reported Breezy Kubuntu and Ubuntu both have this problem.
> >
> > Users report that the password they created when they installed
> > Breezy Ubuntu/Kubuntu is in plain text in the file below:
> > /var/log/installer/cdebconf/questions.dat
> >
> > The file is world readable, so anybody that could log in locally,
> > remotely, or put executable script files on your Ubuntu/Kubuntu box
> > could have read your password.
> >
> > Make sure to delete this file as soon as possible, and change your
> > password.
> >
> > I imagine that this would only affect you if you installed from
> > Breezy.  If you installed from Hoary and upgraded to Breezy, you
> > probably wouldn't have the problem.
> 
> Whoa!  I'm glad someone caught this!!  I found my extra user password in the 
> file!  This bites.  Why would this file be kept around, or why would it be 
> storing password prompt info at all, much less as clear text?!?
> 
> -- 

How it happened is in the above thread.   

It is a serious bug. It is serious for those that their machines have exposure 
to the outside world and/or other users that are not trustworthy.  In other 
words single desktop users should not be concerned.  In all cases the fix is 
really easy.  Change your password.  It is only keeping the original install 
user password.  Those with security needs who know what they're doing will 
have changed their passwords regularly and would not have been affected by 
this at all.  

Other points to note: This only affects those who started with a fresh install 
of Breezy.  Machines upgraded to Breezy from prior releases (and even beta 
versions of Breezy) are not affected.  Dapper (which is not a release product 
anyway) is not affected unless it was upgraded from a machine that had a 
fresh install of Breezy to start with.

Another point to note is that this problem was solved and a patch issued 
within hours of it's discovery.  For all machines except those where the 
default upgrade option has been disabled, the patch will be presented the 
very next time the machine boots up.

The Ubuntu/Kubuntu team has been doing an outstanding job, has won much 
recognition throughout the computing community and has become one of the 
premier Linux distributions.  I believe their immediate resolution of this 
problem reflects on the quality and commitment of that team. if you don't 
crash and crash hard then you're not out there doing it.

In a time when I'm sure there will be many who are critical I would like to 
say thank you to the Ubuntu team for a truly amazing gift.

More information about the kubuntu-users mailing list