Linked by Thom Holwerda on Sun 12th Mar 2006 20:46 UTC, submitted by lotusleaf
Ubuntu, Kubuntu, Xubuntu A major, critical bug and possible security threat has been discovered in Ubuntu Breezy. Apparently, the 'root' password (not actually the root password because Ubuntu uses sudo) gets written into the installer's log files in clear text, and can be read by any account on the Ubuntu machine. The bug was first discovered and reproduced on the Ubuntu forums. The bug does not seem to affect Dapper, however, users upgrading from Breezy to Dapper might still be at risk because the log files are not modified. Update: Bug is fixed. Please upgrade.
Permalink for comment 103924
To read all comments associated with this story, please click here.
RE[5]: Cue the peanut gallery
by atsureki on Mon 13th Mar 2006 05:34 UTC in reply to "RE[4]: Cue the peanut gallery"
atsureki
Member since:
2006-03-12

So if my bank's ATM had a flaw in the UI that allowed me to bypass authentication and simply withdraw money, that wouldn't be breaking in?

Please, get a clue.


If your "bank" were a private citizen and the "ATM" were his unguarded Wintel box and the "money" were a bunch of bits on a physical disk that you could easily pop out with nothing but a Phillips head screwdriver, then we might be somewhere in the ballpark of what I said, yes.

I'm minimizing the security flaw on the grounds that it's nearly useless, not that it's easy. Gaining low-level control of any PC you have in your physical possession is a walk in the park. Doing it without having to restart isn't much of an exploit.

Another reply mentioned untrusted ssh, but that's a whole separate can of worms. You've gotta know what you're doing to get away with something like that regardless of your distro. Make a chroot jail and debootstrap. No password set prompts, no install log entry, no security bug.

A clear text password sitting anywhere on a filesystem in this day and age is pathetic, but all these red flag terms like root access are going to give people the wrong idea. It's an embarrassment, not a catastrophe.

Reply Parent Score: 2