Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <Pine.GSO.4.64.1011171650010.24946@faron.mitre.org>
Date: Wed, 17 Nov 2010 17:00:29 -0500 (EST)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: Josh Bressers <bressers@...hat.com>
cc: oss-security@...ts.openwall.com
Subject: Re: Clear text password in process list when using
 MySQL GUI tools


On Wed, 17 Nov 2010, Josh Bressers wrote:

> What are the thoughts of MITRE on this one? This affects all sorts of 
> stuff, and I don't upstream removing the command line option (which is 
> probably the only fix).

As already mentioned, this kind of thing has been covered in CVE before, 
and I don't see a reason to omit it.  Yes it can be a pain to fix, but in 
most informal security models, one unprivileged user on a local system 
should not be able to view any portion of sensitive information that is 
owned by another unprivileged user.  In the case of password/credential 
leaks, in some cases this effectively compromises a remote system, too. 
If an app *only* supports passing of sensitive information through 
command-line arguments, then IMO it's probably worthy of a CVE.

My understanding is that some OSes or modules don't support listing of 
process arguments, (or even processes of other users?), but I would guess 
that most cross-OS (or cross-distro) code has a good likelihood of running 
on an OS that supports process arguments.

By the way, this also theoretically applies to environment variables, but 
let's not go there.

Both problems pose a Pandora's box of questions regarding how to define 
'sensitive information' in a local context (e.g., presumably users on a 
local system have the "privileges" to know the home directories of all 
other users) but let's ot go there, either ;-)

CWE-214 (Process Environment Information Leak) includes some examples.

- Steve

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.