Ubuntu security advisory

Posted on by

SecurityFocus reports a vulnerability in Ubuntu

The problem is that the root password is stored in clear-text in a world-readable installer log file, verifiable by running grep password /var/log/installer/cdebconf/questions.dat

There is a fix available…

Basically you just need to do a regular update to get the latest base-config package, which changes the permissions of the file so that it is no longer world-readable. i.e.:

before
$ ls -l /var/log/installer/cdebconf/questions.dat 
-rw-r--r--  1 root root   61052 2005-12-12 01:44 /var/log/installer/cdebconf/questions.dat
after
$ ls -l /var/log/installer/cdebconf/questions.dat 
-rw-------  1 root root 61018 2006-03-18 11:36 /var/log/installer/cdebconf/questions.dat

Books on Ubuntu from Amazon

Ubuntu UnleashedUbuntu Hacks : Tips & Tools for Exploring, Using, and Tuning Linux (Hacks)

Leave a Reply

Your email address will not be published. Required fields are marked *