Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 5 Aug 2002 17:53:56 +0300 (EEST)
From:      Igor Kucherenko <kivvy@sunbay.com>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   ports/41342: gnatsd reveals passwords to syslog
Message-ID:  <200208051453.g75EruL19501@whale.sunbay.crimea.ua>
next in thread | raw e-mail | index | archive | help 

>Number:         41342
>Category:       ports
>Synopsis:       gnatsd reveals passwords to syslog
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Mon Aug 05 08:00:08 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator:     Igor Kucherenko
>Release:        FreeBSD 4.5-STABLE i386
>Organization:
Sunbay Software Ltd
>Environment:
System: FreeBSD whale.sunbay.crimea.ua 4.5-STABLE FreeBSD 4.5-STABLE #1: Mon Mar 4 21:02:08 EET 2002 kivvy@whale.sunbay.crimea.ua:/usr/src/sys/compile/WHALE i386
>Description:
Gnatsd from ports/databases/gnats, when user authentication has failed gnatsd
write "user/password" in cleartext form to syslog. This is unsecure behaviour.
>How-To-Repeat:
>Fix:
Index: files/patch-gnats::cmds.c
===================================================================
RCS file: files/patch-gnats::cmds.c
diff -N files/patch-gnats::cmds.c
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ files/patch-gnats::cmds.c	5 Aug 2002 14:26:56 -0000
@@ -0,0 +1,15 @@
+--- gnats/cmds.c.orig	Sun Feb  4 22:56:10 2001
++++ gnats/cmds.c	Mon Aug  5 17:25:48 2002
+@@ -476,9 +476,9 @@
+ 
+   if (user_access <= ACCESS_NONE)
+     {
+-      syslog (LOG_ERR, "user not allowed access: %s/%s", av[0], av[1]);
+-      printf ("%d You are not on the user access list: %s/%s.\r\n",
+-              CODE_NO_ACCESS, av[0], av[1]);
++      syslog (LOG_ERR, "user %s not allowed access", av[0]);
++      printf ("%d You are not on the user access list.\r\n",
++              CODE_NO_ACCESS, av[0]);
+       exit (1);
+     }
+   
>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200208051453.g75EruL19501>