Date: Thu, 29 May 2014 13:20:11 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: CVE request: sos: /etc/fstab collected by sosreport, possibly containing passwords -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/29/2014 12:57 PM, Dolev Farhi wrote: > I tend to agree with most of this actually, but since sosreport is > there to collect information for troubleshooting issues only, then > there is no actual reason not to remove the pw field of a mount in > fstab, even though the file is world readable in the first place. I > do agree that this widens the scope from Red Hats side especially > while most of the time it would be close to impossible to prevent > password disclosures in configuration files, especially when it > depends on the random way a sysadmin alters config files. Best > practice is to use the credentials option and point fstab to read > the mount username and password from a file but there are multiple > ways to achieve the same goal. I am not sure regarding the > necessity of a CVE here, though I dont see much of a difference > between this to any other password disclosures (such as grub.conf) > discovered in sosreport in the past, except that fstab is world > readable. On both cases the problem is that this file is handled by > 3rd parties. > > Thanks > > -- Dolev Farhi So /etc/fstab is world readable, within that system. The file is then being exported to Red Hat, we don't really need or want the password, we also make an effort to sanitize the data sent, so if nothing else this falls into the "intended/advertised security feature that failed" and would qualify for a CVE as such as I understand things. - -- Kurt Seifried - Red Hat - Product Security - Cloud stuff and such PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJTh4hrAAoJEBYNRVNeJnmTjYEP/2bPTxCVZW/3XZFu4cMeR47+ pPdOWOO2/InF0W2oVm8nCp5vlgh5qb+brBO32o74gaq27x6BQh0hnzhCsEcF0+rx Eeg6vDIorvQ5iBNRHqYdCmzgAicTx7RRTGjAyXgQqdLh90mFrNEgA2WgFa0BOkHL QfrCRWhZ1+KeCkPMURTGAulKBeEMAJxMMIGc3GC408R8jcBNDoFOVmGDC+tPI+Or KvY4zBu8cf3VFNTGqhdvlJ4Hwu2X14BvaiisQqDLkb6IJX2OVT5vFue9TEZfQQjr G7TQ1eZsuqh2rOngwJrlDDxSoyiClKclA5NraJUUL1kCJfSzAS4NxBjIpNWp94Hi Bx7tXyoCuhk2RZHBusLnFH6j/TJUYgrkOvw8YujzIE6FtX2V66SiyrDKOH620IWZ J105kcIUMop/x5LBQ3dxx+slTHxHQcmRMpu6aECPt28SgP335nXgbHhwLo12jN8a NnUKPXbZKBXN1rRcb50DUJPw/5d2DI/j9GCqtNIqxRV/6JIq1/czJyGryyYVmBdL EYF2HYzaeSBklTJha86JMxNRlyPoS1tSF437SvRwODLtH1lpGXVQNnkCAS2JdLZ9 O6rF2uFCsvbZMklDW/94NgiSlLSVPLfafrlKCBegQClYcOLm0mM81U2PLXcVwN/z pp6kR35+xGtGkveF6gIg =s9TQ -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.