Ubuntu
mandos package

mandos-client adds unnecessary files to initrd

Bug #457709 reported by Mandos Maintainers
266
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mandos (Debian)
Fix Released
Unknown
mandos (Ubuntu)
Fix Released
Undecided
Unassigned
Jaunty
Fix Released
Undecided
Unassigned
Karmic
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: mandos-client

Copied text from Debian bug #551907, reported by "C. Dominik Bodi" <email address hidden>:

----
The update-initramfs hook script for mandos client adds several files
into the initrd that are not necessary for its operation. One of the
files being added causes a severe security risk for other mandos
client in case the client acts as a mandos server, as well.

The superfluous files can be found in
initrd_root/etc/conf/conf.d/mandos/

First of all, backup files created by various text editors, for
instance emacsen's "filename~" (notice the tilde) files, are added
to the initrd.

More importantly, if the mandos server package is installed on the
same computer, the /etc/mandos/mandos.conf and
/etc/mandos/clients.conf will be added to the initrd, as well.

[...]
----

Mandos Maintainers (mandos-maintainers)
visibility: private → public
Bug Watch Updater (bug-watch-updater)
Changed in mandos (Debian):
status: Unknown → New
Revision history for this message
Mandos Maintainers (mandos-maintainers) wrote :

Fixed in Mandos 1.0.13, now released upstream.

Mandos Maintainers (mandos-maintainers)
Changed in mandos (Ubuntu):
assignee: nobody → Mandos Maintainers (mandos-maintainers)
status: New → Fix Committed
Revision history for this message
Mandos Maintainers (mandos-maintainers) wrote :

This patch will fix the bug, and is also the only upstream change from 1.0.12 to 1.0.13.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Marking as In Progress based on https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures#Preparing%20an%20update.

Is 1.0.8 affected? If you are able, perhaps you could prepare debdiffs to fix this by following https://wiki.ubuntu.com/SecurityUpdateProcedures.

Thanks!

Changed in mandos (Ubuntu):
status: Fix Committed → In Progress
Changed in mandos (Ubuntu Jaunty):
status: New → Incomplete
Revision history for this message
Mandos Maintainers (mandos-maintainers) wrote :

1.0.8 is indeed affected. I don't have an Ubuntu system, but I'll attach a suggested diff for the Ubuntu changelog security update.

Changed in mandos (Ubuntu Jaunty):
status: Incomplete → In Progress
Bug Watch Updater (bug-watch-updater)
Changed in mandos (Debian):
status: New → Fix Released
Mandos Maintainers (mandos-maintainers)
Changed in mandos (Ubuntu Karmic):
assignee: Mandos Maintainers (mandos-maintainers) → nobody
status: In Progress → Fix Committed
Revision history for this message
Scott Kitterman (kitterman) wrote :

motu/motu-release ack.

Changed in mandos (Ubuntu Karmic):
status: Fix Committed → Confirmed
Revision history for this message
Martin Pitt (pitti) wrote :

[Updating] mandos (1.0.12-1build1 [Ubuntu] < 1.0.13-1 [Debian])
 * Trying to add mandos...
  - <mandos_1.0.13-1.diff.gz: downloading from http://ftp.debian.org/debian/>
  - <mandos_1.0.13.orig.tar.gz: downloading from http://ftp.debian.org/debian/>
  - <mandos_1.0.13-1.dsc: downloading from http://ftp.debian.org/debian/>
I: mandos [universe] -> mandos_1.0.12-1build1 [universe].
I: mandos [universe] -> mandos-client_1.0.12-1build1 [universe].

Changed in mandos (Ubuntu Karmic):
status: Confirmed → Fix Released
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for the jaunty patches, I'll prepare a security update.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Jaunty update has been released.

Changed in mandos (Ubuntu Jaunty):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.