Bug 56354 – various passwords in process list visible

Bug 56354 - various passwords in process list visible


Summary:	various passwords in process list visible

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	General
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 5.0-5-errata
Assigned To:	Florian Best
QA Contact:	Arvid Requate

URL:	https://git.knut.univention.de/univen...
Keywords:

Depends on:
Blocks:	56801
	Show dependency tree / graph

Reported:	2023-07-26 11:17 CEST by Florian Best
Modified:	2023-11-06 15:19 CET (History)
CC List:	0 users

See Also:	56332 56333 56324
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Florian Best

2023-07-26 11:17:23 CEST

base/univention-licence/tools/univention-license-import.in:err=$(ldapadd -x -h "$ldap_master" -p "$ldap_master_port" -ZZ -D "cn=admin,$ldap_base" -w "$(cat /etc/ldap.secret)" -f "$file" 2>&1)
base/univention-licence/tools/univention-license-import.in:     ldapsearch -xLLL -h "$ldap_master" -p "$ldap_master_port" -ZZ -D "cn=admin,$ldap_base" -w "$(cat /etc/ldap.secret)" cn=admin -b "cn=license,cn=univention,$ldap_base" | ldapsea
base/univention-licence/tools/univention-license-import.in:     ldapdelete -x -h "$ldap_master" -p "$ldap_master_port" -ZZ -D "cn=admin,$ldap_base" -w "$(cat /etc/ldap.secret)" "cn=admin,cn=license,cn=univention,$ldap_base"
base/univention-licence/tools/univention-license-import.in:     ldapadd -x -h "$ldap_master" -p "$ldap_master_port" -ZZ -D "cn=admin,$ldap_base" -w "$(cat /etc/ldap.secret)" -f "$file"
doc/developer-reference/listener/details.rst:     -w "$(cat /etc/machine.secret)"
management/univention-directory-listener/debian/tests/filter:   ldapadd -H "ldap://$FQDN:$PORT" -ZZ -x -D "cn=admin,$BASE" -w "$SECRET" <<__LDIF__
management/univention-directory-listener/debian/tests/filter:   ldapsearch -xLLLo ldif-wrap=no -H "ldap://$FQDN:$PORT" -b "cn=test${n:-},$BASE" -s base -ZZ -D "cn=admin,$BASE" -w "$SECRET" 1.1
management/univention-directory-listener/debian/tests/filter:           -x -D "cn=admin,$BASE" -w "$SECRET"
management/univention-directory-listener/debian/tests/filter:           -x -D "cn=admin,$BASE" -w "$SECRET" &
management/univention-directory-listener/debian/tests/filter:   ldapsearch -xLLLo ldif-wrap=no -H "ldap://$FQDN:7389" -b "cn=test${n:-},$BASE" -s base -ZZ -D "cn=update,$BASE" -w "$secret" 1.1
management/univention-directory-listener/doc.34355/common.sh:   /usr/bin/ldapsearch -h "$BINDHOST" -p "$BINDPORT" -x -D "$BINDDN" -w "$BINDPW" -LLL -o ldif-wrap=no "$@"
management/univention-directory-listener/doc.34355/common.sh:   /usr/bin/ldapadd -x -h "$BINDHOST" -p "$BINDPORT" -D "$BINDDN" -w "$BINDPW" "$@"
management/univention-directory-listener/doc.34355/common.sh:   /usr/bin/ldapmodify -x -h "$BINDHOST" -p "$BINDPORT" -D "$BINDDN" -w "$BINDPW" "$@"
management/univention-directory-listener/doc.34355/common.sh:   /usr/bin/ldapmodrdn -x -h "$BINDHOST" -p "$BINDPORT" -D "$BINDDN" -w "$BINDPW" "$@"
management/univention-directory-listener/doc.34355/common.sh:   /usr/bin/ldapdelete -x -h "$BINDHOST" -p "$BINDPORT" -D "$BINDDN" -w "$BINDPW" "$@"
management/univention-directory-manager-modules/scripts/fix_primary_group_membership:                                   ldapmodify -x -D "cn=admin,$ldap_base" -w "$(cat /etc/ldap.secret)" <<EOF
management/univention-directory-manager-modules/scripts/fix_primary_group_membership:                                   ldapmodify -x -D "cn=admin,$ldap_base" -w "$(cat /etc/ldap.secret)" <<EOF
management/univention-directory-manager-modules/scripts/fix_primary_group_membership:                                   ldapmodify -x -D "cn=admin,$ldap_base" -w "$(cat /etc/ldap.secret)" <<EOF
management/univention-directory-manager-modules/scripts/fix_primary_group_membership:                                   ldapmodify -x -D "cn=admin,$ldap_base" -w "$(cat /etc/ldap.secret)" <<EOF

management/univention-directory-replication/univention-directory-replication-resync:if ldapmodify -x -w "$(cut -d\" -f2 /etc/ldap/rootpw.conf)" -D "cn=update,${ldap_base}" -c -S "${faileddns}" -f "$1" >>"$LOG" 2>&1


management/univention-ldap/test/listner-notifier-test:          ldapmodrdn -x -D "cn=admin,$ldap_base" -w "$(cat /etc/ldap.secret)" "$dn" "$rdn=Object$string1"
management/univention-ldap/test/listner-notifier-test:          ldapmodrdn -x -D "cn=admin,$ldap_base" -w "$(cat /etc/ldap.secret)" -r "$rdn=Object$string1,cn=$cn,$ldap_base" "$rdn=Objectxxx$string2"
management/univention-ldap/test/listner-notifier-test:  cmd="ldapmodify -x -D 'cn=update,$ldap_base' -w '$rootpw' -f backup.ldif"
management/univention-ldap/univention-backup2master:  ldapmodify -x -D "cn=admin,$ldap_base" -w "$(cat /etc/ldap.secret)" -f "$temp_file"
management/univention-ldap/univention-backup2master:ldapmodify -x -D "cn=admin,$ldap_base" -w "$(cat /etc/ldap.secret)" -f "$temp_file"
management/univention-ldap/univention-backup2master:ldapdelete -x -D "cn=admin,$ldap_base" -w "$(cat /etc/ldap.secret)" "krb5PrincipalName=ldap/${old_ldap_master}@${kerberos_realm},cn=kerberos,${ldap_base}"
monitoring/univention-nagios/usr/lib/nagios/plugins/check_univention_joinstatus:ldapsearch -x -h "$LDAPSERVER" -p "$LDAPPORT" -D "$ldap_hostdn" -w $(cat /etc/machine.secret) -b "$ldap_base" -s base 2> /dev/null > /dev/null
monitoring/univention-nagios/usr/lib/nagios/plugins/check_univention_joinstatus:ldapsearch -x -ZZ -h "$LDAPSERVER" -p "$LDAPPORT" -D "$ldap_hostdn" -w $(cat /etc/machine.secret) -b "$ldap_base" -s base 2> /dev/null > /dev/null
monitoring/univention-nagios/usr/lib/nagios/plugins/check_univention_joinstatus:ldapsearch -x -ZZ -D "$ldap_hostdn" -w $(cat /etc/machine.secret) -b "$ldap_base" -s base  2> /dev/null > /dev/null
packaging/ucslint/testframework/0017-5-6-7-8-9/shell.sh:ldapsearch -x -LLLo ldif-wrap=no -U "$(ucr get ldap/hostdn)" -w "$(cat /etc/machine.secret)" -b "$(ucr get ldap/base)" -s base 1.1 || die

services/univention-samba/26univention-samba.inst:      smbpasswd -w "$(< /etc/machine.secret)"
services/univention-samba/26univention-samba.inst:      smbpasswd -w "$(< /etc/ldap.secret)"

services/univention-samba4/debian/univention-samba4.postinst:                           s_res="$(univention-ldapsearch -s base -h "$hostname.$domainname" -p 389 -w "$machine_secret" -D "$dn" dn | ldapsearch-wrapper | sed -ne 's|^dn: ||p')
test/product-tests/samba/utils.sh:      univention-ldapsearch -D "$binddn" -w "$password" "uid=$username"

And of course many ones in tests scrips.

Comment 1 Florian Best

2023-07-26 13:33:30 CEST

I already pushed the unit test changes to 5.0-4 after checking that the pipeline succeeds still building the packages:

univention-ldap (16.0.13-4)
ed000c8b5887 | test(ldap): do not leak password in process list

univention-directory-listener (14.0.8-3)
65e04428595e | test(UDL): do not leak password in process list

ucslint (1.0.0-1)
0a39a7883d25 | test(ucslint): do not leak password in process list

ucs-test (10.0.15-14)
9e26f096510c | test(ucs-test): do not leak password in process list


Leftovers in the MR are only:
d0567d7c2f fix(samba): do not leak password in process list
 services/univention-samba/26univention-samba.inst | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
→ Bug #56332

6a51cdd346 fix(samba4): do not leak password in process list
 services/univention-samba4/debian/univention-samba4.postinst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
dd5af96055 fix(nagios): do not leak password in process list
 monitoring/univention-nagios/usr/lib/nagios/plugins/check_univention_joinstatus | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
86ed0b80ce fix(backup2master): do not leak password in process list
 management/univention-ldap/univention-backup2master | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
→ Bug #56333

30535f4a52 fix(directory-replication): do not leak password in process list
 management/univention-directory-replication/univention-directory-replication-resync | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)
0c520a9a9e fix(udm): do not leak password in process list
 management/univention-directory-manager-modules/scripts/fix_primary_group_membership | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)
6fcd8130b7 fix(directory-listener-verify): do not leak password in process list
 doc/developer-reference/listener/details.rst          |  2 +-
 management/univention-directory-listener/src/verify.c | 33 ++++++++++++++++++++++++++++++++-
 2 files changed, 33 insertions(+), 2 deletions(-)
d3ef349c69 fix(license-import): do not leak password in process list
 base/univention-licence/tools/univention-license-import.in | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

Comment 2 Florian Best

2023-10-25 16:43:39 CEST

All occurrences which I found (the above listed) have been replaced.

univention-samba4.yaml
7f93dea7b438 | chore(advisory): mark advisory as security issue
5a7228f9d13f | fix(samba4): do not leak password in process list

univention-samba4 (9.0.14-4)
5a7228f9d13f | fix(samba4): do not leak password in process list

univention-samba.yaml
7f93dea7b438 | chore(advisory): mark advisory as security issue
49e9b678a30c | fix(samba): do not leak password in process list

univention-samba (14.0.9-2)
49e9b678a30c | fix(samba): do not leak password in process list

univention-nagios.yaml
7f93dea7b438 | chore(advisory): mark advisory as security issue
bceed4efd741 | fix(nagios): do not leak password in process list

univention-nagios (13.0.5-2)
bceed4efd741 | fix(nagios): do not leak password in process list

univention-licence.yaml
7f93dea7b438 | chore(advisory): mark advisory as security issue
7870e16ae325 | fix(license-import): do not leak password in process list

univention-licence (11.0.0-2)
7870e16ae325 | fix(license-import): do not leak password in process list

univention-ldap.yaml
7f93dea7b438 | chore(advisory): mark advisory as security issue
e9e4a4871fcd | fix(backup2master): do not leak password in process list

univention-ldap (16.0.13-5)
e9e4a4871fcd | fix(backup2master): do not leak password in process list

univention-ldap (16.0.13-4)
ed000c8b5887 | test(ldap): do not leak password in process list

univention-directory-replication.yaml
7f93dea7b438 | chore(advisory): mark advisory as security issue
c9b55211c7ea | fix(directory-replication): do not leak password in process list

univention-directory-replication (13.0.7-3)
c9b55211c7ea | fix(directory-replication): do not leak password in process list

univention-directory-manager-modules.yaml
7f93dea7b438 | chore(advisory): mark advisory as security issue
e5f0a1a621dc | fix(udm): do not leak password in process list

univention-directory-manager-modules (15.0.24-22)
e5f0a1a621dc | fix(udm): do not leak password in process list

univention-directory-listener.yaml
7f93dea7b438 | chore(advisory): mark advisory as security issue
22c68692a0f1 | fix(directory-listener-verify): do not leak password in process list

univention-directory-listener (14.0.8-7)
22c68692a0f1 | fix(directory-listener-verify): do not leak password in process list

univention-directory-listener (14.0.8-3)
65e04428595e | test(UDL): do not leak password in process list

Comment 3 Arvid Requate

2023-10-26 14:35:03 CEST

Verified:
* Code review
* Package update
* Advisories

Comment 4 Philipp Hahn

2023-11-02 14:53:59 CET

<https://errata.software-univention.de/#/?erratum=5.0x866>
<https://errata.software-univention.de/#/?erratum=5.0x867>
<https://errata.software-univention.de/#/?erratum=5.0x868>
<https://errata.software-univention.de/#/?erratum=5.0x869>
<https://errata.software-univention.de/#/?erratum=5.0x870>
<https://errata.software-univention.de/#/?erratum=5.0x871>