mongodb: CVE-2016-6494: world-readable .dbshell history file

Debian Bug report logs - #832908
mongodb: CVE-2016-6494: world-readable .dbshell history file

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: kpcyrd <kpcyrd@rxv.cc>

To: submit@bugs.debian.org

Subject: world-readable .dbshell history file

Date: Fri, 29 Jul 2016 14:37:20 +0000

Package: mongodb-clients
Version: 2.4.10-5
Severity: grave
Tags: security

During the report on redis-tools
(https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832460), lamby@
linked to a codesearch and the same bug was found in mongodb-clients.

mongodb-clients stores its history in ~/.dbshell, this file is created
with permissions 0644. Home folders are world readable as well in
debian, so any user can access other users mongodb history, even though
db.auth commands don't appear to be logged like redis did.

I filed a bug on upstream as well:
https://jira.mongodb.org/browse/SERVER-25335

Demo: `cat /home/*/.dbshell`

Message #16 received at 832908@bugs.debian.org (full text, mbox, reply):

From: kpcyrd <kpcyrd@rxv.cc>

To: 832908@bugs.debian.org

Cc: Salvatore Bonaccorso <carnil@debian.org>, Chris Lamb <lamby@debian.org>

Subject: Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file

Date: Sat, 30 Jul 2016 04:50:44 +0000

So, upstream just closed the issue I created with 'Works as Designed'
blaming the default umask for the bug and that specifying file
permissions for files created by mongodb is not something mongodb should
do.

https://jira.mongodb.org/browse/SERVER-25335#comment-1342085

The bug is locked, what do I do now?

Message #21 received at 832908@bugs.debian.org (full text, mbox, reply):

From: László Böszörményi (GCS) <gcs@debian.org>

To: kpcyrd <kpcyrd@rxv.cc>, 832908@bugs.debian.org

Cc: Salvatore Bonaccorso <carnil@debian.org>, Chris Lamb <lamby@debian.org>

Subject: Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file

Date: Sat, 30 Jul 2016 05:53:10 +0000

On Sat, Jul 30, 2016 at 4:50 AM, kpcyrd <kpcyrd@rxv.cc> wrote:
> So, upstream just closed the issue I created with 'Works as Designed'
> blaming the default umask for the bug and that specifying file
> permissions for files created by mongodb is not something mongodb should
> do.
>
> https://jira.mongodb.org/browse/SERVER-25335#comment-1342085
>
> The bug is locked, what do I do now?
 You mean what to do with upstream? I guess nothing. Probably I can
fix this myself.
While this is a real issue, I somewhat agree with upstream. Being a
system administrator for long time, I know as others should know:
- don't run sensitive services on a machine which can be accessed by
untrusted users,
- even on your regular box set your $HOME to 0700 and your umask to 0077.
In short, always expect the worst case and be prepared.

Regards,
Laszlo/GCS

Message #26 received at 832908@bugs.debian.org (full text, mbox, reply):

From: kpcyrd <kpcyrd@rxv.cc>

To: László Böszörményi (GCS) <gcs@debian.org>

Cc: 832908@bugs.debian.org, Salvatore Bonaccorso <carnil@debian.org>, Chris Lamb <lamby@debian.org>

Subject: Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file

Date: Sun, 31 Jul 2016 14:11:26 +0000

On Sat, Jul 30, 2016 at 05:53:10AM +0000, László Böszörményi (GCS) wrote:
> While this is a real issue, I somewhat agree with upstream. Being a
> system administrator for long time, I know as others should know:
> - don't run sensitive services on a machine which can be accessed by
> untrusted users,
> - even on your regular box set your $HOME to 0700 and your umask to 0077.
> In short, always expect the worst case and be prepared.

As a system administrator, I fully agree that systems should be setup
this way. You might want to consider posting this here[1] and here[2].

[1]: https://bugs.debian.org/398793
[2]: https://bugs.debian.org/782001

As a software engineer, I have to disagree here. You shouldn't assume
your software is running on locked-down environments only. If a file
might contain sensitive data, the file permissions should be set
accordingly, after all, they are setting file permissions correctly on
/var/lib/mongodb (even though they aren't setting them on
/var/log/mongodb either).

There are multiple use cases that might cause people to configure o+x
permissions on home folders and it's also what default debian sets for
home folders.

I don't think blaming users that aren't unix wizards is the right way to
deal with security, instead of having sane defaults towards security.
The worst case should be the exception instead of the norm.

If you run `ls -la ~/.*_history` most developers seem to agree with
this, given that permissions are set correctly regardless of the umask.

> > https://jira.mongodb.org/browse/SERVER-25335#comment-1342085
> >
> > The bug is locked, what do I do now?
>  You mean what to do with upstream? I guess nothing. Probably I can
> fix this myself.

Please go ahead.

This would resolve CVE-2016-6494 for the binary debian is distributing,
but there are still various downstreams for mongodb on debian and
MongoDB Inc themself that would ship without a patch.

Thanks.

Message #31 received at 832908@bugs.debian.org (full text, mbox, reply):

From: Ola Lundqvist <ola@inguza.com>

To: 832908@bugs.debian.org, Debian LTS <debian-lts@lists.debian.org>

Cc: kpcyrd@rxv.cc, gcs@debian.org, Salvatore Bonaccorso <carnil@debian.org>, Chris Lamb <lamby@debian.org>

Subject: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling

Date: Mon, 1 Aug 2016 00:31:51 +0200

[Message part 1 (text/plain, inline)]

Hi

I'm member of the Long Term Security team in Debian and I'm following this
as I plan to backport the correction to wheezy.

I have a few questions:
1) When do you think you will have a correction available that I can have a
look at?
2) How do you plan to handle the "upgrade case" that is will you try to
change the permission on already created history file or will you just
handle the creation case?
3) If you plan to handle the "upgrade case" will you just change it in case
the file is world readable? I mean some may want this group readable for
some reason.
4) Or do you plan to just change the umask from the default?
5) In case you just handle the creation case do you think it should be
handled in upgrade in some way, or should we document this in the security
advisory?

Thanks in advance

// Ola


-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------

[Message part 2 (text/html, inline)]

Message #36 received at 832908@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: Ola Lundqvist <ola@inguza.com>, 832908@bugs.debian.org, Debian LTS <debian-lts@lists.debian.org>

Cc: kpcyrd@rxv.cc, gcs@debian.org, Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling

Date: Mon, 01 Aug 2016 05:53:47 +0200

> 2) How do you plan to handle the "upgrade case" that is will you try to
> change the permission on already created history file or will you just
> handle the creation case?

For redis, what I did was set and then unset the umask (for creation) and
chmod(2) the file afterwards to "upgrade" existing ones.

I don't recommend a postinst approach (ie. chmod 0600 /home/*/.filename) for
various reasons.


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Message #41 received at 832908@bugs.debian.org (full text, mbox, reply):

From: Ola Lundqvist <ola@inguza.com>

To: 832908@bugs.debian.org

Cc: Ola Lundqvist <ola@inguza.com>, Debian LTS <debian-lts@lists.debian.org>, kpcyrd@rxv.cc, gcs@debian.org, Salvatore Bonaccorso <carnil@debian.org>, Chris Lamb <lamby@debian.org>

Subject: Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling

Date: Tue, 2 Aug 2016 00:13:51 +0200

[Message part 1 (text/plain, inline)]

Hi all

I have prepared a preliminary patch for wheezy. I have not yet been able to
test it fully (it is building right now). It looks like attached. You may
need to modify it for later versions.

Please comment. The principles should be ok even if I may have made some
stupid copy+paste mistake. It worked fine in a little test program I made.

Hope this helps

// Ola

On Mon, Aug 1, 2016 at 5:53 AM, Chris Lamb <lamby@debian.org> wrote:

> > 2) How do you plan to handle the "upgrade case" that is will you try to
> > change the permission on already created history file or will you just
> > handle the creation case?
>
> For redis, what I did was set and then unset the umask (for creation) and
> chmod(2) the file afterwards to "upgrade" existing ones.
>
> I don't recommend a postinst approach (ie. chmod 0600 /home/*/.filename)
> for
> various reasons.
>
>
> Regards,
>
> --
>       ,''`.
>      : :'  :     Chris Lamb
>      `. `'`      lamby@debian.org / chris-lamb.co.uk
>        `-
>



-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------

[Message part 2 (text/html, inline)]

[CVE-2016-6494.patch (text/x-patch, attachment)]

Message #46 received at 832908@bugs.debian.org (full text, mbox, reply):

From: Ola Lundqvist <ola@inguza.com>

To: Ola Lundqvist <ola@inguza.com>

Cc: 832908@bugs.debian.org, Debian LTS <debian-lts@lists.debian.org>, kpcyrd@rxv.cc, László Böszörményi <gcs@debian.org>, Salvatore Bonaccorso <carnil@debian.org>, Chris Lamb <lamby@debian.org>

Subject: Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling

Date: Tue, 2 Aug 2016 00:15:29 +0200

[Message part 1 (text/plain, inline)]

Hi again

I just realize that we need to change back the umask after the file is
created. I'll update the patch tomorrow and send one that I know works.

// Ola

On Tue, Aug 2, 2016 at 12:13 AM, Ola Lundqvist <ola@inguza.com> wrote:

> Hi all
>
> I have prepared a preliminary patch for wheezy. I have not yet been able
> to test it fully (it is building right now). It looks like attached. You
> may need to modify it for later versions.
>
> Please comment. The principles should be ok even if I may have made some
> stupid copy+paste mistake. It worked fine in a little test program I made.
>
> Hope this helps
>
> // Ola
>
> On Mon, Aug 1, 2016 at 5:53 AM, Chris Lamb <lamby@debian.org> wrote:
>
>> > 2) How do you plan to handle the "upgrade case" that is will you try to
>> > change the permission on already created history file or will you just
>> > handle the creation case?
>>
>> For redis, what I did was set and then unset the umask (for creation) and
>> chmod(2) the file afterwards to "upgrade" existing ones.
>>
>> I don't recommend a postinst approach (ie. chmod 0600 /home/*/.filename)
>> for
>> various reasons.
>>
>>
>> Regards,
>>
>> --
>>       ,''`.
>>      : :'  :     Chris Lamb
>>      `. `'`      lamby@debian.org / chris-lamb.co.uk
>>        `-
>>
>
>
>
> --
>  --- Inguza Technology AB --- MSc in Information Technology ----
> /  ola@inguza.com                    Folkebogatan 26            \
> |  opal@debian.org                   654 68 KARLSTAD            |
> |  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
> \  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
>  ---------------------------------------------------------------
>
>


-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------

[Message part 2 (text/html, inline)]

Message #51 received at 832908@bugs.debian.org (full text, mbox, reply):

From: Sébastien Delafond <seb@debian.org>

To: 832908@bugs.debian.org

Date: Tue, 2 Aug 2016 08:23:26 +0200

FWIW, the vendor has closed https://jira.mongodb.org/browse/SERVER-25335
with "Works as Designed".

If someone wants to follow up on explaining to mongodb upstream why
umask shouldn't prevent them from applying proper permissions where
needed, they're welcome to do so. ssh-keygen(1) would be a good example
to point to.

Cheers,

--Seb

Message #56 received at 832908@bugs.debian.org (full text, mbox, reply):

From: Ola Lundqvist <ola@inguza.com>

To: 832908@bugs.debian.org

Cc: Debian LTS <debian-lts@lists.debian.org>, kpcyrd@rxv.cc, László Böszörményi <gcs@debian.org>, Salvatore Bonaccorso <carnil@debian.org>, Chris Lamb <lamby@debian.org>, Ola Lundqvist <ola@inguza.com>

Subject: Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling

Date: Tue, 2 Aug 2016 13:53:53 +0200

[Message part 1 (text/plain, inline)]

Hi again

Here is the working patch (attached).

Hope it helps for later versions too.

// Ola

On Tue, Aug 2, 2016 at 12:15 AM, Ola Lundqvist <ola@inguza.com> wrote:

> Hi again
>
> I just realize that we need to change back the umask after the file is
> created. I'll update the patch tomorrow and send one that I know works.
>
> // Ola
>
> On Tue, Aug 2, 2016 at 12:13 AM, Ola Lundqvist <ola@inguza.com> wrote:
>
>> Hi all
>>
>> I have prepared a preliminary patch for wheezy. I have not yet been able
>> to test it fully (it is building right now). It looks like attached. You
>> may need to modify it for later versions.
>>
>> Please comment. The principles should be ok even if I may have made some
>> stupid copy+paste mistake. It worked fine in a little test program I made.
>>
>> Hope this helps
>>
>> // Ola
>>
>> On Mon, Aug 1, 2016 at 5:53 AM, Chris Lamb <lamby@debian.org> wrote:
>>
>>> > 2) How do you plan to handle the "upgrade case" that is will you try to
>>> > change the permission on already created history file or will you just
>>> > handle the creation case?
>>>
>>> For redis, what I did was set and then unset the umask (for creation) and
>>> chmod(2) the file afterwards to "upgrade" existing ones.
>>>
>>> I don't recommend a postinst approach (ie. chmod 0600 /home/*/.filename)
>>> for
>>> various reasons.
>>>
>>>
>>> Regards,
>>>
>>> --
>>>       ,''`.
>>>      : :'  :     Chris Lamb
>>>      `. `'`      lamby@debian.org / chris-lamb.co.uk
>>>        `-
>>>
>>
>>
>>
>> --
>>  --- Inguza Technology AB --- MSc in Information Technology ----
>> /  ola@inguza.com                    Folkebogatan 26            \
>> |  opal@debian.org                   654 68 KARLSTAD            |
>> |  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
>> \  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
>>  ---------------------------------------------------------------
>>
>>
>
>
> --
>  --- Inguza Technology AB --- MSc in Information Technology ----
> /  ola@inguza.com                    Folkebogatan 26            \
> |  opal@debian.org                   654 68 KARLSTAD            |
> |  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
> \  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
>  ---------------------------------------------------------------
>
>


-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------

[Message part 2 (text/html, inline)]

[CVE-2016-6494.patch (text/x-patch, attachment)]

Message #61 received at 832908@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: Ola Lundqvist <ola@inguza.com>, 832908@bugs.debian.org

Cc: Debian LTS <debian-lts@lists.debian.org>, kpcyrd@rxv.cc, László Böszörményi <gcs@debian.org>, Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling

Date: Tue, 02 Aug 2016 19:14:48 +0200

> Here is the working patch (attached).

Out of interest, why:

+    mode_t prev_mask = umask(0022);
+    // Make sure this file is not readable by others
+    umask(prev_mask | S_IROTH | S_IWOTH | S_IXOTH);
     FILE *fp = fopen(filename,"w");

.. over, say:

+    // Make sure this file is not readable by others
+    mode_t prev_mask = umask(S_IXUSR|S_IRWXG|S_IRWXO);
     FILE *fp = fopen(filename,"w");
+    umask(prev_mask);

We don't really want to change the umask for the entire process.
Or at least, we don't know the ramifications of that so better to
keep it isolated to just this bit?


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Message #66 received at 832908@bugs.debian.org (full text, mbox, reply):

From: Ola Lundqvist <ola@inguza.com>

To: Chris Lamb <lamby@debian.org>

Cc: Ola Lundqvist <ola@inguza.com>, 832908@bugs.debian.org, Debian LTS <debian-lts@lists.debian.org>, kpcyrd@rxv.cc, László Böszörményi <gcs@debian.org>, Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling

Date: Tue, 2 Aug 2016 23:57:27 +0200

[Message part 1 (text/plain, inline)]

Hi Chris

The reason I do not simply set the umask to a fixed value is to use the
same principle as upstream. That is honor the umask set bu the user. There
may be reasons why group read and/or write should be set for example.

I agree with upstream that the umask should be honored, but not as strictly
as upstream do. This is why I just override the "world readable" part and
let the rest be controlled by the user.

In the working patch you can see that I also set back the umask (just a
little further down in the file) as it was to just change this specific
case of logging.

More clear now?

Best regards

// Ola

On Tue, Aug 2, 2016 at 7:14 PM, Chris Lamb <lamby@debian.org> wrote:

> > Here is the working patch (attached).
>
> Out of interest, why:
>
> +    mode_t prev_mask = umask(0022);
> +    // Make sure this file is not readable by others
> +    umask(prev_mask | S_IROTH | S_IWOTH | S_IXOTH);
>      FILE *fp = fopen(filename,"w");
>
> .. over, say:
>
> +    // Make sure this file is not readable by others
> +    mode_t prev_mask = umask(S_IXUSR|S_IRWXG|S_IRWXO);
>      FILE *fp = fopen(filename,"w");
> +    umask(prev_mask);
>
> We don't really want to change the umask for the entire process.
> Or at least, we don't know the ramifications of that so better to
> keep it isolated to just this bit?
>
>
> Regards,
>
> --
>       ,''`.
>      : :'  :     Chris Lamb
>      `. `'`      lamby@debian.org / chris-lamb.co.uk
>        `-
>



-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------

[Message part 2 (text/html, inline)]

Message #71 received at 832908@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: Ola Lundqvist <ola@inguza.com>

Cc: 832908@bugs.debian.org, Debian LTS <debian-lts@lists.debian.org>, kpcyrd@rxv.cc, László Böszörményi <gcs@debian.org>, Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling

Date: Wed, 03 Aug 2016 00:00:55 +0200

> This is why I just override the "world readable" part and
> let the rest be controlled by the user.

Ah, didn't quite spot you are overriding just this bit. Worth a comment
I think.

> In the working patch you can see that I also set back the umask (just a
> little further down in the file) as it was to just change this specific
> case of logging.

Well, sure, of course. :)


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Message #76 received at 832908@bugs.debian.org (full text, mbox, reply):

From: Ola Lundqvist <ola@inguza.com>

To: Chris Lamb <lamby@debian.org>

Cc: Ola Lundqvist <ola@inguza.com>, 832908@bugs.debian.org, Debian LTS <debian-lts@lists.debian.org>, kpcyrd@rxv.cc, László Böszörményi <gcs@debian.org>, Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling

Date: Wed, 3 Aug 2016 00:05:31 +0200

[Message part 1 (text/plain, inline)]

Hi Chris

I had this
// Make sure this file is not readable by others

But maybe it was not clear enough. :-)

// Ola

On Wed, Aug 3, 2016 at 12:00 AM, Chris Lamb <lamby@debian.org> wrote:

> > This is why I just override the "world readable" part and
> > let the rest be controlled by the user.
>
> Ah, didn't quite spot you are overriding just this bit. Worth a comment
> I think.
>
> > In the working patch you can see that I also set back the umask (just a
> > little further down in the file) as it was to just change this specific
> > case of logging.
>
> Well, sure, of course. :)
>
>
> Regards,
>
> --
>       ,''`.
>      : :'  :     Chris Lamb
>      `. `'`      lamby@debian.org / chris-lamb.co.uk
>        `-
>



-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------

[Message part 2 (text/html, inline)]

Message #81 received at 832908@bugs.debian.org (full text, mbox, reply):

From: Ola Lundqvist <ola@inguza.com>

To: Jérémy Lal <kapouer@melix.org>, "Laszlo Boszormenyi (GCS)" <gcs@debian.org>, Debian LTS <debian-lts@lists.debian.org>, 833087@bugs.debian.org, 832908@bugs.debian.org

Subject: Security update of mongodb

Date: Wed, 3 Aug 2016 23:32:02 +0200

[Message part 1 (text/plain, inline)]

Hi Jérémy, Laszlo and LTS team

You have probably seen my latest emails about "Bug#832908: mongodb:
CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade
handling".

I have now prepared a security update of this CVE-2016-6494 and in addition
to that TEMP-0833087-C5410D.

For https://security-tracker.debian.org/tracker/CVE-2016-6494 you can find
the patch in bug 832908.

For https://security-tracker.debian.org/tracker/TEMP-0833087-C5410D I could
not easily backport the fix for sid as the code was considerably different.
So I made a simpler solution. The upstream fix was to mangle only the the
sensitive data. In wheezy I replaced the whole sensitive string with XXX.
This means that the logging is not that good anymore but this should not
impact any application functionality. I do not think most people will
notive this anyway so I think it is safe.

Upstream fix looks something like this in the logs:
Tue Aug  2 11:41:13 [conn4]  authenticate: { authenticate: 1.0, user:
"foo", nonce: "XXXX", key: "XXXX" }

My fix looks like this:
Wed Aug  3 21:18:52 [conn1]  authenticate: XXXX

I made the short-cut as I do not think it is worth the effort to do a full
back-port.

You can find the debdiff here:
http://apt.inguza.net/wheezy-security/mongodb/mongodb.debdiff

And the prepared package here:
http://apt.inguza.net/wheezy-security/mongodb/

Regarding testing I have done a simple regression test bu installing the
new packages, checking that the database is there and that I can access the
server.

I have also been able to reproduce both issues and been able to verify that
both fixes do really solve the problem.

If I do not hear any objections I will upload the corrected packages in
four (4) days, that is on Sunday (maybe on monday after).

Best regards

// Ola

-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------

[Message part 2 (text/html, inline)]

Message #86 received at 832908@bugs.debian.org (full text, mbox, reply):

From: Marek Skalický <mskalick@redhat.com>

To: 832908@bugs.debian.org

Subject: Re: Security update of mongodb

Date: Thu, 04 Aug 2016 14:45:42 +0200

Please try to persuade upstream for the fix in https://groups.google.co
m/forum/#!topic/mongodb-dev/-QR4B7PJ9YY

Thanks,
Marek

On Wed, 3 Aug 2016 23:32:02 +0200 Ola Lundqvist <ola@inguza.com> wrote:
> Hi Jérémy, Laszlo and LTS team
> 
> You have probably seen my latest emails about "Bug#832908: mongodb:
> CVE-2016-6494: world-readable .dbshell history file: LTS update and
upgrade
> handling".
> 
> I have now prepared a security update of this CVE-2016-6494 and in
addition
> to that TEMP-0833087-C5410D.
> 
> For https://security-tracker.debian.org/tracker/CVE-2016-6494 you can
find
> the patch in bug 832908.
> 
> For https://security-tracker.debian.org/tracker/TEMP-0833087-C5410D I
could
> not easily backport the fix for sid as the code was considerably
different.
> So I made a simpler solution. The upstream fix was to mangle only the
the
> sensitive data. In wheezy I replaced the whole sensitive string with
XXX.
> This means that the logging is not that good anymore but this should
not
> impact any application functionality. I do not think most people will
> notive this anyway so I think it is safe.
> 
> Upstream fix looks something like this in the logs:
> Tue Aug  2 11:41:13 [conn4]  authenticate: { authenticate: 1.0, user:
> "foo", nonce: "XXXX", key: "XXXX" }
> 
> My fix looks like this:
> Wed Aug  3 21:18:52 [conn1]  authenticate: XXXX
> 
> I made the short-cut as I do not think it is worth the effort to do a
full
> back-port.
> 
> You can find the debdiff here:
> http://apt.inguza.net/wheezy-security/mongodb/mongodb.debdiff
> 
> And the prepared package here:
> http://apt.inguza.net/wheezy-security/mongodb/
> 
> Regarding testing I have done a simple regression test bu installing
the
> new packages, checking that the database is there and that I can
access the
> server.
> 
> I have also been able to reproduce both issues and been able to
verify that
> both fixes do really solve the problem.
> 
> If I do not hear any objections I will upload the corrected packages
in
> four (4) days, that is on Sunday (maybe on monday after).
> 
> Best regards
> 
> // Ola
> 
> -- 
>  --- Inguza Technology AB --- MSc in Information Technology ----
> /  ola@inguza.com                    Folkebogatan 26            \
> |  opal@debian.org                   654 68 KARLSTAD            |
> |  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
> \  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
>  ---------------------------------------------------------------

Message #95 received at 832908-close@bugs.debian.org (full text, mbox, reply):

From: Laszlo Boszormenyi (GCS) <gcs@debian.org>

To: 832908-close@bugs.debian.org

Subject: Bug#832908: fixed in mongodb 1:2.6.12-3

Date: Tue, 09 Aug 2016 22:26:49 +0000

Source: mongodb
Source-Version: 1:2.6.12-3

We believe that the bug you reported is fixed in the latest version of
mongodb, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 832908@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated mongodb package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 08 Aug 2016 21:56:32 +0000
Source: mongodb
Binary: mongodb mongodb-server mongodb-clients
Architecture: source amd64
Version: 1:2.6.12-3
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
 mongodb    - object/document-oriented database (metapackage)
 mongodb-clients - object/document-oriented database (client apps)
 mongodb-server - object/document-oriented database (server package)
Closes: 832908
Changes:
 mongodb (1:2.6.12-3) unstable; urgency=high
 .
   * Fix CVE-2016-6494 , prevent group and other access to .dbshell
     (closes: #832908).
Checksums-Sha1:
 15971b52c299b7c6ee59d9944d22262388b0c999 2738 mongodb_2.6.12-3.dsc
 d19c2e03cf445e197e0bd2bc28f9b08be3309c47 53000 mongodb_2.6.12-3.debian.tar.xz
 2859ad4ca521169e02035c52386d0d7a9ab2ce9b 1255815488 mongodb-clients-dbgsym_2.6.12-3_amd64.deb
 8fdfe5a132d4ac364a93943e8422a3a311fbea98 47043808 mongodb-clients_2.6.12-3_amd64.deb
 3427389cd93143fa5d1ff812d60832c1746bfc84 178246036 mongodb-server-dbgsym_2.6.12-3_amd64.deb
 1681cb59efc82a229a7359967023193a215d440f 7216400 mongodb-server_2.6.12-3_amd64.deb
 514b73f0cffcb910e60f378a5750ba094dd72238 16994 mongodb_2.6.12-3_amd64.deb
Checksums-Sha256:
 fbb0c2ef8b3c151d6e6f67cc97b2ad0501499386b5b62aa08468373ff26566b5 2738 mongodb_2.6.12-3.dsc
 b534195da23b96936c1d702f4fac9edc516ac83737b9ec9bdce7324ac3b08c0d 53000 mongodb_2.6.12-3.debian.tar.xz
 7017bcdadda0f32af1ee6ce1b7fada5c81a6397d997631c0c6d9fdd3d6557023 1255815488 mongodb-clients-dbgsym_2.6.12-3_amd64.deb
 c757867ad5b391e7088d0be5c018b7b4cbef20900c59fc835e92a27faa4be0ff 47043808 mongodb-clients_2.6.12-3_amd64.deb
 5bbf4005b5ca3be8a321d185dde5de72d1d9ca7fa90819ba64e5d62702266c21 178246036 mongodb-server-dbgsym_2.6.12-3_amd64.deb
 2ce9e01a4747e06f3b160c9a0c52464613faf6102bb88e88d6e7808ddd676233 7216400 mongodb-server_2.6.12-3_amd64.deb
 df480f6ca6c22409bd1dc6c2120be02e9726793f94773a0fa2baf70df1aac241 16994 mongodb_2.6.12-3_amd64.deb
Files:
 bf33b695c54c99b71c92345ff5181d1e 2738 database optional mongodb_2.6.12-3.dsc
 c1bf57240f0a679bf96c0696ae4b4841 53000 database optional mongodb_2.6.12-3.debian.tar.xz
 40d2974b66c2a9b1c7859f71a660716b 1255815488 debug extra mongodb-clients-dbgsym_2.6.12-3_amd64.deb
 36a9205c8fe7c9e75df8c7a82314118f 47043808 database optional mongodb-clients_2.6.12-3_amd64.deb
 1a50e5879ebbbd7fe6ecaae0d15e0217 178246036 debug extra mongodb-server-dbgsym_2.6.12-3_amd64.deb
 3206ea83f7b1e367d935740a64a5f6ec 7216400 database optional mongodb-server_2.6.12-3_amd64.deb
 6f08aa96f355e8272ab10c906c471953 16994 database optional mongodb_2.6.12-3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXqf46AAoJENzjEOeGTMi/UVgQAJZdrSSYjbxjuLKbtY2O97hH
dA3NpRdiGQhq0J5MmL3h+tiyA7NqTnqssWOHtHZfmqhW422FeRTpOL/AE1L6OWmy
LyBQ/zLMVHJcIlJdzMJvY9BKBTzJegLPsdZlNJGE5xwQtHo3PxQnfsAFILJwXv1K
jmw2eTy/0hps0IVISpxWdvlaRODkuJcQbClVyrNKVI1iG/ib0CU+QcmnOk/5T1ba
fj0ZzD4pahccxLf88pUV3f2uURM2WLbqYZpTNf0k+dzXcLkW+qsEW/TZnUq4SnZT
sNkspM5yWmFHnKm8hZdRwmKqQb3FEAylDl428k088p4YhXJusils3lVh4m09xmSA
ij+UgJLx2atiNYO5lXV7Ti4/MSVpm9BdcHHjwsY/GgZ59A5+Py9HzUPUt+QEVTQF
bVZHyHAnhwV6ProayiqQirGCsndUP+HFNM3AjOQXThJbGdS5HcMin5aRWga6TiFu
s5RSp21cxZUdTB1LYLohqPeaPnW+PKAfUrvs+YqIM9p9TwFpSAgMW8J3jQCNuX4r
yHR11NZjxhXdBSLF+Kjvduxi4LPhkEn4kkeQ7A4LfHGBsy6J0CTOmJzj6hsTBwoD
uD1Zmon/nnxT2C8tjYEF6kKlmJ3+lvQ4jkBwSBopw+tVMK7zKFLtFhGFEpyOx+uU
okqsefq+mEoFkBs2GLhh
=kFkF
-----END PGP SIGNATURE-----

Message #110 received at 832908-close@bugs.debian.org (full text, mbox, reply):

From: Apollon Oikonomopoulos <apoikos@debian.org>

To: 832908-close@bugs.debian.org

Subject: Bug#832908: fixed in mongodb 1:2.4.10-5+deb8u1

Date: Sun, 12 Feb 2017 22:47:09 +0000

Source: mongodb
Source-Version: 1:2.4.10-5+deb8u1

We believe that the bug you reported is fixed in the latest version of
mongodb, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 832908@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Apollon Oikonomopoulos <apoikos@debian.org> (supplier of updated mongodb package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 11 Jan 2017 11:17:56 +0200
Source: mongodb
Binary: mongodb mongodb-server mongodb-clients mongodb-dev
Architecture: source
Version: 1:2.4.10-5+deb8u1
Distribution: jessie
Urgency: medium
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Apollon Oikonomopoulos <apoikos@debian.org>
Description:
 mongodb    - object/document-oriented database (metapackage)
 mongodb-clients - object/document-oriented database (client apps)
 mongodb-dev - object/document-oriented database (development)
 mongodb-server - object/document-oriented database (server package)
Closes: 832908 833087
Changes:
 mongodb (1:2.4.10-5+deb8u1) jessie; urgency=medium
 .
   * Redact key and nonce from auth attempt logs (Closes: #833087)
   * Backport patch for CVE-2016-6494 from 2.6 (Closes: #832908)
Checksums-Sha1:
 6ed2b5928e8ed601c25fc19b3efee6dc77d9437a 2811 mongodb_2.4.10-5+deb8u1.dsc
 0105e9282795ed9d780ae5efb6586c9108f0180b 57220 mongodb_2.4.10-5+deb8u1.debian.tar.xz
Checksums-Sha256:
 7c5b1ec310c3167e8cb2f29b62ac625dc1f5432d0ecbe42d92d08aa496cf4a92 2811 mongodb_2.4.10-5+deb8u1.dsc
 9db03eb4de977a690e679edac9a5c0810c11fd15865b3faa203fea3c6cd12b21 57220 mongodb_2.4.10-5+deb8u1.debian.tar.xz
Files:
 f8ee704885bbc85b0ac04d76123c9d43 2811 database optional mongodb_2.4.10-5+deb8u1.dsc
 60bf0e4460a40674ecfd605f2f407381 57220 database optional mongodb_2.4.10-5+deb8u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQJHBAEBCAAxFiEEPgL9ZlYpWVIRC6uZ9RsYxyAkgiQFAliOgIMTHGFwb2lrb3NA
ZGViaWFuLm9yZwAKCRD1GxjHICSCJFYFD/wJsjZgINOyyHkQstXNQfhtL0yLeG0s
xNAwwP1wAuU/UFkxI77F5yWzHV257Gt5ow/VqaYELkQtftjjjwZMG6LSCcE+Vzk/
yPKGZW2kvPk/K9wrrQiyRmgNc7+IZNdgtC0L68HiH4rZGGhh/E4b1OGgxubmxuBN
Af/aFm3/Yz/kPSkrFmxPm703zYvDrJMcnZA5fCA0WWHnTzA06icqDU6CNt/GM+nB
FjnVzqmewT0NFIFQtBdpPCrJOklYvu9qym2x5zo3rkX8CxVMIIJkFrAbFpVVxMDf
OHJrWtH76sstrgh72FETXnlwM4zbh0liHPgfeN+VuIewvOX8xlNZQvtrCrGLO+UH
4kP4Gaj2NaTcofdPE6cbHsV5HT26y/GwcSmRijyvViemsXrUSEcy8jcLwYwUu3YP
XWCxUNjkRBUwZ2OsqWznZGgKg3wr6WzjuGGYAF2o1GnwyjwGp+EYsfvAFLZZ2Eup
a/IebuSFIUVYbcPz9Z3keV/gIr9zaDCk5LdzXqnjtgfuGPnhIuP6dAblTSyue4q2
ZjiGiE1vAnP50Q0ZLkLSSEwxGLIowjm9j5IoX36JPwooZZ74rCDNH1rfaSYAgaMh
SgyVI71LB60nvgP6UKW3OLtOKnCridEcluCGxzwnLkUedHhBSoGzopLCS/H4TPhS
K1R5m7Nus8AR4A==
=Fa3Z
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.