Possible to get the administrator password ?

[cjwatson]

So, er, yeah. This one sucked. As others have said, security updates are now making their way ASAP to both Breezy and Dapper (the latter for Breezy installs upgraded to Dapper). Here's the comment I just posted to OSNews about this:

I'm the Ubuntu installer maintainer, so obviously this bug is ultimately my fault. I'm sorry for that - it's clear it shouldn't have sneaked past QA. (We'll be updating our testing processes to be rather more careful about this sort of thing.) Now that I've spent the evening doing security updates to clean up the mess, I thought I might take a moment to explain how this happened, and why it wasn't noticed as an issue in Breezy at the same time as it was fixed in Dapper.

The Ubuntu installer (like Debian) uses a framework called debconf to do all its user interaction; that framework has a backend database which stores all the answers, which is where passwords ended up being stored for this vulnerability. Naturally, when you're asking for passwords using debconf, you take a lot of care to clean them out of the database afterwards: we explicitly clear them out in the password-asking code pretty much as soon as we can, and we have a separate database for the answers to password questions which isn't copied to the directory of installer log files in the final installed system. This had all been working well for some time (e.g. in Hoary).

Unfortunately, the way we arranged for the password question to be asked in the first stage of the Breezy installer meant that two debconf databases were involved rather than one, and the passwords only got cleared out of one of those databases. Even this would have been OK if it weren't for the fact that some changes we needed to make in cdebconf for other reasons in Breezy (I've yet to track down the exact changesets involved, but never mind) broke the mechanism that was supposed to make sure that passwords ended up in a separate database. Sigh.

As for why we didn't notice the problem in Breezy when this was fixed in Dapper, well, that's because the fix in Dapper was part of a massive installer reorganisation (http://riva.ucam.org/~cjwatson/blog/...installer.html) and it was really just fixed by accident. So it goes.

Anyhow, I've fixed this just about as soon as was humanly possible for me, and take it extremely seriously. While perhaps for some of you it's too little too late, we'll do everything we can to install better defences against this kind of thing in future.

[towsonu2003]

just posted to the bug report as well: I got no updates that fixed this. I did upgrades one minute ago, and still had to delete it manually.

damn... thinking that all the ssh "runners" are still screwed... brrrr(ezy). well, at least we'll be famous for being the first most popular and easiest hackable (at the same time) linux distro around

by the way, one of the comments in that bug says dapper is vulnerable too.

one last thing: make this a sticky... this is damn important...

[say]

Quote:

Originally Posted by knalle Oslo university is running Ubuntu Breezy 5.10 on all their computers, hehe i might try this on monday

That's not true. UiO doesn't run Breezy anywhere. In fact, they run RHEL on their desktops and a variety of different OSs on the servers.

[JoWilly]

Quote:

Originally Posted by towsonu2003 just posted to the bug report as well: I got no updates that fixed this. I did upgrades one minute ago, and still had to delete it manually.

Colin has uploaded the fix, it takes usualy about 1 hour to propagate to the repos; no need to go on bitching...

Quote:

Originally Posted by towsonu2003 damn... thinking that all the ssh "runners" are still screwed... brrrr(ezy). well, at least we'll be famous for being the first most popular and easiest hackable (at the same time) linux distro around by the way, one of the comments in that bug says dapper is vulnerable too. one last thing: make this a sticky... this is damn important...

As they say.... "**** happens"...

Read again. Dapper is not vulnerable itself, only if upgraded from breezy, which is vulnerable.

I am very impressed by the speed this was fixed on a Sunday evening. Thanks a lot Colin for beeing so professional.

[earobinson]

I think we have a new bug number 1

[markt9]

================================================== =========
Ubuntu Security Notice USN-262-1 March 12, 2006
Ubuntu 5.10 installer vulnerability
https://launchpad.net/bugs/34606
================================================== =========

A security issue affects the following Ubuntu releases:

Ubuntu 5.10 (Breezy Badger)

The following packages are affected:

base-config
passwd

The problem can be corrected by upgrading the affected package to
version 2.67ubuntu20 (base-config) and 1:4.0.3-37ubuntu8 (passwd). In
general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Karl Øie discovered that the Ubuntu 5.10 installer failed to clean
passwords in the installer log files. Since these files were
world-readable, any local user could see the password of the first
user account, which has full sudo privileges by default.

The updated packages remove the passwords and additionally make the
log files readable only by root.

This does not affect the Ubuntu 4.10, 5.04, or the upcoming 6.04
installer. However, if you upgraded from Ubuntu 5.10 to the current
development version of Ubuntu 6.04 ('Dapper Drake'), please ensure
that you upgrade the passwd package to version 1:4.0.13-7ubuntu2 to
fix the installer log files.

[jimmygoon]

To my understanding... this is understood but... Dapper Flight 5 (for me at least) does not suffer from this "bug"

[kaamos]

Updated, upgraded, problem solved. That was fast (thank god).

[TrendyDark]

I just checked out this file in my install and yes, it is there. No, I'm not worried about Breezy security, and thanks for letting us know about this.

Is it safe to just delete this file from any future Breezy installations? I plan on installing Breezy on several machines later this month and I don't need everyone to know they aren't safe.

[gaz00]

Colin - thanks for the fast work!