TITLE: Debian Installer Log Files Information Disclosure SECUNIA ADVISORY ID: SA19170 VERIFY ADVISORY: http://secunia.com/advisories/19170/ CRITICAL: Less critical IMPACT: Exposure of sensitive information WHERE: Local system OPERATING SYSTEM: Debian GNU/Linux unstable alias sid http://secunia.com/product/530/ Debian GNU/Linux 3.0 http://secunia.com/product/143/ Debian GNU/Linux 3.1 http://secunia.com/product/5307/ DESCRIPTION: Joey Hess has reported a vulnerability in Debian, which can be exploited by malicious, local users to disclose sensitive information. The problem is caused due to user credentials being written to world-readable installation log files during installation. This can be exploited to disclose the preseeded password of root and other users if a preseed file is used for an automated install, and the pppoeconf passwords in the base-config log file. The vulnerability has been reported in version 4.0.3-31sarge5 and 4.0.14-7 of the shadow package, and version 2.53.10 of the base-config package. SOLUTION: The vulnerability will reportedly be fixed in version 4.0.14-9 of the shadow package. PROVIDED AND/OR DISCOVERED BY: Joey Hess ORIGINAL ADVISORY: Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=356939 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------