group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1574458] Re: Logs.var.log.mysql.error.log.txt contains usernames and passwords

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Nish Aravamudan <nish.aravamudan@xxxxxxxxxxxxx>
Date: Wed, 07 Jun 2017 15:52:25 -0000
Reply-to: Bug 1574458 <1574458@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: mysql-5.6 (Ubuntu Trusty)
       Status: New => Invalid

** Changed in: mariadb-10.0 (Ubuntu)
       Status: New => Invalid

** Also affects: mariadb-10.1 (Ubuntu)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1574458

Title:
  Logs.var.log.mysql.error.log.txt  contains usernames and passwords

Status in mariadb-10.0 package in Ubuntu:
  Invalid
Status in mariadb-10.1 package in Ubuntu:
  Confirmed
Status in mariadb-5.5 package in Ubuntu:
  Invalid
Status in mysql-5.5 package in Ubuntu:
  Invalid
Status in mysql-5.6 package in Ubuntu:
  Invalid
Status in mysql-5.7 package in Ubuntu:
  Fix Released
Status in mariadb-5.5 source package in Trusty:
  Confirmed
Status in mysql-5.5 source package in Trusty:
  Confirmed
Status in mysql-5.6 source package in Trusty:
  Invalid
Status in mariadb-10.0 source package in Xenial:
  Confirmed
Status in mysql-5.7 source package in Xenial:
  Fix Released

Bug description:
  MySQL has some logic for ensuring passwords aren't written to the
  logs, detailed at https://dev.mysql.com/doc/refman/5.7/en/password-
  logging.html (passwords are rewritten before they are logged).
  However, a failed grant statement is written unaltered to the error
  log, bypassing the password rewriting logic.

  [Impact]
  Ubuntu's bug reporting system will suggest uploading the error log to a bug report. This can lead to user credentials written in plain text in public bug reports.

  [Test case]
  (note/todo: I had a simpler test for this, but can't find the exact syntax for it)
  * Add the following to the server config:
  plugin-load=validate_password.so
  validate-password=FORCE_PLUS_PERMANENT
  and restart the server
  * Log in and run GRANT ALL ON *.* TO 'user'@'localhost' IDENTIFIED BY '123';
  * Observe statement failing because it doesn't follow password validation rules
  * Run "ubuntu-bug mysql-server"
  * Choose "View Report"
  * Search for "123"

  Expected behavior:
  Password is scrambled or otherwise not written to the apport report

  Actual behavior:
  The entire failed grant statement is written to the apport report

  [Regression Potential]
  The fix replaces all lines in the log that contain any of the terms mentioned on the password-logging site, so it will rewrite more lines than strictly necessary, potentially making debugging harder.

  [Original description]
  Your automated bug reports are posting Logs.var.log.mysql.error.log.txt  in clear text.  These logs may contain PII as well as user credentials.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mariadb-10.0/+bug/1574458/+subscriptions