term.log is world readable and shouldn't be

Bug #975199 reported by James Troup
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apt (Ubuntu)
Fix Released
Undecided
Michael Vogt
Oneiric
Fix Released
Undecided
Marc Deslauriers
Precise
Fix Released
Undecided
Marc Deslauriers
Quantal
Fix Released
Undecided
Marc Deslauriers
Raring
Fix Released
Undecided
Michael Vogt

Bug Description

| root@dziban:/etc# ls -l /var/log/apt/term.log*
| -rw-r--r-- 1 root adm 87718 Apr 6 10:33 /var/log/apt/term.log

This file includes anything you type into a shell spawned via dpkg's
conffile handling. I don't expect my root shell sessions to be logged
(keystrokes and all) to a world readable file and I imagine I'm not
the only one.

Tags: patch
Revision history for this message
James Troup (elmo) wrote :

This appears to be a regression in precise. lucid has these files as
600.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This was introduced in Oneiric, as the fix for bug 404724

Michael, is there any way to exclude the shell being logged in term.log?

Changed in apt (Ubuntu):
status: New → Confirmed
Changed in apt (Ubuntu Oneiric):
status: New → Confirmed
Revision history for this message
Michael Vogt (mvo) wrote :

Hey Marc, unfortunately not AFAICT. It will simply log everything on the pty that dpkg runs on. We could make it 0640 root.adm as a middle ground maybe?

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Yeah, that would be acceptable I think. Elmo?

Revision history for this message
James Troup (elmo) wrote : Re: [Bug 975199] Re: term.log is world readable and shouldn't be

Marc Deslauriers <email address hidden> writes:

> Yeah, that would be acceptable I think. Elmo?

It's better than what we have now, so, sure.

--
James

Changed in apt (Ubuntu Oneiric):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in apt (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
Revision history for this message
Michael Vogt (mvo) wrote :

Bzr bundle with a fix, note that the apt.postinst needs version number adjustment of course.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This still doesn't seem to be fixed. Has there been any progress on it?

Revision history for this message
Michael Vogt (mvo) wrote :

@Jamie: sorry, this slipped my attention. If you agree with the direction in the bzr bundle I'm happy to prepare debdiffs for precise, quantal with the fix.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

It looks good to me, though I'm guessing the version check in postinst might need to be adjusted?

Revision history for this message
Michael Vogt (mvo) wrote :
Revision history for this message
Michael Vogt (mvo) wrote :
Revision history for this message
Michael Vogt (mvo) wrote :
Revision history for this message
Michael Vogt (mvo) wrote :

I adjusted the version checks in the postinst now, this should be ok now (but double check of course welcome!).

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This is CVE-2012-0961

Changed in apt (Ubuntu Quantal):
assignee: nobody → Marc Deslauriers (mdeslaur)
information type: Private Security → Public Security
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.8.16~exp12ubuntu10.7

---------------
apt (0.8.16~exp12ubuntu10.7) precise-security; urgency=low

  * SECURITY UPDATE: change permissions of
    /var/log/apt/term.log to 0640 (LP: #975199)
    - CVE-2012-0961
 -- Michael Vogt <email address hidden> Tue, 04 Dec 2012 15:38:12 +0100

Changed in apt (Ubuntu Precise):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.9.7.5ubuntu5.2

---------------
apt (0.9.7.5ubuntu5.2) quantal-security; urgency=low

  * SECURITY UPDATE: change permissions of
    /var/log/apt/term.log to 0640 (LP: #975199)
    - CVE-2012-0961
 -- Michael Vogt <email address hidden> Tue, 04 Dec 2012 15:46:44 +0100

Changed in apt (Ubuntu Quantal):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.8.16~exp5ubuntu13.6

---------------
apt (0.8.16~exp5ubuntu13.6) oneiric-security; urgency=low

  * SECURITY UPDATE: change permissions of
    /var/log/apt/term.log to 0640 (LP: #975199)
    - CVE-2012-0961
 -- Michael Vogt <email address hidden> Tue, 04 Dec 2012 15:27:51 +0100

Changed in apt (Ubuntu Oneiric):
status: Confirmed → Fix Released
Changed in apt (Ubuntu Raring):
assignee: nobody → Michael Vogt (mvo)
tags: added: patch
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.9.7.6ubuntu6

---------------
apt (0.9.7.6ubuntu6) raring; urgency=low

  * merged from the debian-sid branch

  [ Program translation updates ]
  * Catalan (Jordi Mallach)
  * Drop a confusing non-breaking space. Closes: #691024
  * Thai (Theppitak Karoonboonyanan). Closes: #691613
  * Vietnamese (Trần Ngọc Quân). Closes: #693773
  * Fix Plural forms in German, French, Japanese and Portuguese
    translations. Thanks to Jakub Wilk for reporting these errors.

  [ Michael Vogt ]
  * change permissions of /var/log/apt/term.log to 0640 (LP: #975199)
 -- Michael Vogt <email address hidden> Thu, 13 Dec 2012 09:14:54 +0100

Changed in apt (Ubuntu Raring):
status: Confirmed → Fix Released
Revision history for this message
Mikko Rantalainen (mira) wrote :

Why does this log include user input in the first case? I can somewhat understand logging all output but why does the log include input also?

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

@Mikko: because when you get a conf file handling dialog, one of the options is to spawn a shell to manually correct the issue. That shell is in the same terminal, hence in the same log file.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.