Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 17 Nov 2010 17:00:29 -0500 (EST)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: Josh Bressers <bressers@...hat.com>
cc: oss-security@...ts.openwall.com
Subject: Re: Clear text password in process list when using
 MySQL GUI tools


On Wed, 17 Nov 2010, Josh Bressers wrote:

> What are the thoughts of MITRE on this one? This affects all sorts of 
> stuff, and I don't upstream removing the command line option (which is 
> probably the only fix).

As already mentioned, this kind of thing has been covered in CVE before, 
and I don't see a reason to omit it.  Yes it can be a pain to fix, but in 
most informal security models, one unprivileged user on a local system 
should not be able to view any portion of sensitive information that is 
owned by another unprivileged user.  In the case of password/credential 
leaks, in some cases this effectively compromises a remote system, too. 
If an app *only* supports passing of sensitive information through 
command-line arguments, then IMO it's probably worthy of a CVE.

My understanding is that some OSes or modules don't support listing of 
process arguments, (or even processes of other users?), but I would guess 
that most cross-OS (or cross-distro) code has a good likelihood of running 
on an OS that supports process arguments.

By the way, this also theoretically applies to environment variables, but 
let's not go there.

Both problems pose a Pandora's box of questions regarding how to define 
'sensitive information' in a local context (e.g., presumably users on a 
local system have the "privileges" to know the home directories of all 
other users) but let's ot go there, either ;-)

CWE-214 (Process Environment Information Leak) includes some examples.

- Steve

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.