group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1574458] Re: Logs.var.log.mysql.error.log.txt contains usernames and passwords

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Nish Aravamudan <nish.aravamudan@xxxxxxxxxxxxx>
Date: Wed, 07 Jun 2017 15:43:03 -0000
Reply-to: Bug 1574458 <1574458@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
@racb, @lars-tangvald:

I think I have set the various tasks correctly now. But I'm not sure if
anyone has verified if the issue is present in Trusty (older versions of
the MySQL packages) or in MariaDB's packaging.

** Also affects: mysql-5.5 (Ubuntu Trusty)
   Importance: Undecided
       Status: New

** Also affects: mysql-5.6 (Ubuntu Trusty)
   Importance: Undecided
       Status: New

** Also affects: mariadb-5.5 (Ubuntu Trusty)
   Importance: Undecided
       Status: New

** Also affects: mariadb-10.0 (Ubuntu Trusty)
   Importance: Undecided
       Status: New

** Also affects: mysql-5.7 (Ubuntu Trusty)
   Importance: Undecided
       Status: New

** No longer affects: mysql-5.7 (Ubuntu Trusty)

** No longer affects: mariadb-10.0 (Ubuntu Trusty)

** Changed in: mysql-5.6 (Ubuntu)
       Status: New => Invalid

** Changed in: mysql-5.5 (Ubuntu)
       Status: New => Invalid

** Changed in: mariadb-5.5 (Ubuntu)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1574458

Title:
  Logs.var.log.mysql.error.log.txt  contains usernames and passwords

Status in mariadb-10.0 package in Ubuntu:
  Invalid
Status in mariadb-10.1 package in Ubuntu:
  New
Status in mariadb-5.5 package in Ubuntu:
  Invalid
Status in mysql-5.5 package in Ubuntu:
  Invalid
Status in mysql-5.6 package in Ubuntu:
  Invalid
Status in mysql-5.7 package in Ubuntu:
  Fix Released
Status in mariadb-5.5 source package in Trusty:
  New
Status in mysql-5.5 source package in Trusty:
  New
Status in mysql-5.6 source package in Trusty:
  Invalid
Status in mariadb-10.0 source package in Xenial:
  Confirmed
Status in mysql-5.7 source package in Xenial:
  Fix Released

Bug description:
  MySQL has some logic for ensuring passwords aren't written to the
  logs, detailed at https://dev.mysql.com/doc/refman/5.7/en/password-
  logging.html (passwords are rewritten before they are logged).
  However, a failed grant statement is written unaltered to the error
  log, bypassing the password rewriting logic.

  [Impact]
  Ubuntu's bug reporting system will suggest uploading the error log to a bug report. This can lead to user credentials written in plain text in public bug reports.

  [Test case]
  (note/todo: I had a simpler test for this, but can't find the exact syntax for it)
  * Add the following to the server config:
  plugin-load=validate_password.so
  validate-password=FORCE_PLUS_PERMANENT
  and restart the server
  * Log in and run GRANT ALL ON *.* TO 'user'@'localhost' IDENTIFIED BY '123';
  * Observe statement failing because it doesn't follow password validation rules
  * Run "ubuntu-bug mysql-server"
  * Choose "View Report"
  * Search for "123"

  Expected behavior:
  Password is scrambled or otherwise not written to the apport report

  Actual behavior:
  The entire failed grant statement is written to the apport report

  [Regression Potential]
  The fix replaces all lines in the log that contain any of the terms mentioned on the password-logging site, so it will rewrite more lines than strictly necessary, potentially making debugging harder.

  [Original description]
  Your automated bug reports are posting Logs.var.log.mysql.error.log.txt  in clear text.  These logs may contain PII as well as user credentials.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mariadb-10.0/+bug/1574458/+subscriptions