oss-sec mailing list archives
Re: CVE request: sos: /etc/fstab collected by sosreport, possibly containing passwords
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 29 May 2014 13:20:11 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/29/2014 12:57 PM, Dolev Farhi wrote:
I tend to agree with most of this actually, but since sosreport is there to collect information for troubleshooting issues only, then there is no actual reason not to remove the pw field of a mount in fstab, even though the file is world readable in the first place. I do agree that this widens the scope from Red Hats side especially while most of the time it would be close to impossible to prevent password disclosures in configuration files, especially when it depends on the random way a sysadmin alters config files. Best practice is to use the credentials option and point fstab to read the mount username and password from a file but there are multiple ways to achieve the same goal. I am not sure regarding the necessity of a CVE here, though I dont see much of a difference between this to any other password disclosures (such as grub.conf) discovered in sosreport in the past, except that fstab is world readable. On both cases the problem is that this file is handled by 3rd parties. Thanks -- Dolev Farhi
So /etc/fstab is world readable, within that system. The file is then being exported to Red Hat, we don't really need or want the password, we also make an effort to sanitize the data sent, so if nothing else this falls into the "intended/advertised security feature that failed" and would qualify for a CVE as such as I understand things. - -- Kurt Seifried - Red Hat - Product Security - Cloud stuff and such PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJTh4hrAAoJEBYNRVNeJnmTjYEP/2bPTxCVZW/3XZFu4cMeR47+ pPdOWOO2/InF0W2oVm8nCp5vlgh5qb+brBO32o74gaq27x6BQh0hnzhCsEcF0+rx Eeg6vDIorvQ5iBNRHqYdCmzgAicTx7RRTGjAyXgQqdLh90mFrNEgA2WgFa0BOkHL QfrCRWhZ1+KeCkPMURTGAulKBeEMAJxMMIGc3GC408R8jcBNDoFOVmGDC+tPI+Or KvY4zBu8cf3VFNTGqhdvlJ4Hwu2X14BvaiisQqDLkb6IJX2OVT5vFue9TEZfQQjr G7TQ1eZsuqh2rOngwJrlDDxSoyiClKclA5NraJUUL1kCJfSzAS4NxBjIpNWp94Hi Bx7tXyoCuhk2RZHBusLnFH6j/TJUYgrkOvw8YujzIE6FtX2V66SiyrDKOH620IWZ J105kcIUMop/x5LBQ3dxx+slTHxHQcmRMpu6aECPt28SgP335nXgbHhwLo12jN8a NnUKPXbZKBXN1rRcb50DUJPw/5d2DI/j9GCqtNIqxRV/6JIq1/czJyGryyYVmBdL EYF2HYzaeSBklTJha86JMxNRlyPoS1tSF437SvRwODLtH1lpGXVQNnkCAS2JdLZ9 O6rF2uFCsvbZMklDW/94NgiSlLSVPLfafrlKCBegQClYcOLm0mM81U2PLXcVwN/z pp6kR35+xGtGkveF6gIg =s9TQ -----END PGP SIGNATURE-----
Current thread:
- CVE request: sos: /etc/fstab collected by sosreport, possibly containing passwords Murray McAllister (May 29)
- Re: CVE request: sos: /etc/fstab collected by sosreport, possibly containing passwords Vincent Danen (May 29)
- Re: CVE request: sos: /etc/fstab collected by sosreport, possibly containing passwords Dolev Farhi (May 29)
- Re: CVE request: sos: /etc/fstab collected by sosreport, possibly containing passwords Kurt Seifried (May 29)
- Re: CVE request: sos: /etc/fstab collected by sosreport, possibly containing passwords Vincent Danen (May 30)
- Re: CVE request: sos: /etc/fstab collected by sosreport, possibly containing passwords Dolev Farhi (May 29)
- Re: CVE request: sos: /etc/fstab collected by sosreport, possibly containing passwords Vincent Danen (May 29)
- Re: CVE request: sos: /etc/fstab collected by sosreport, possibly containing passwords cve-assign (May 30)