Ubuntu
dbconfig-common package

Problem with a password containing space char

Bug #584943 reported by Kychot
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
dbconfig-common (Debian)
Confirmed
Unknown
dbconfig-common (Ubuntu)
Fix Released
Wishlist
Unassigned

Bug Description

Binary package hint: dbconfig-common

Description: Ubuntu 10.04 LTS
Release: 10.04
dbconfig-common version: 1.8.44ubuntu1

Process of instalation (for example) phpmyadmin:
* the installation script uses dbconfig-common
* the bug occurs, when choosing any pasword (for phpmyadmin), containing space character, for example aaaa bbbb

In such case:

* /etc/dbconfig-common/phpmyadmin.conf contains the correct line:
dbc_dbpass='aaaa bbbb'

* but the password of the user phpmyadmin in the table mysql/user is truncated and set to 'aaaa'

As the result:
* after logging into phpmyadmin the error appears:
"Connection for controluser as defined in your configuration failed."
* the resulting truncated password which is actually set by dbconfig-common may be VERY WEAK (serious security hole)

I suppose it's bug of dbconfig-common and not a bug of phpmyadmin. (But maybe I'm wrong.)

Workaround:
* You must verify the password in the mysql database and correct it by hand with help of the mysql client.
* don't use passwords containing space character

The next problem:

When attempting to reconfigure the phpmyadmin interactively by means of
# dpkg-reconfigure -plow phpmyadmin
there is no subsequent question about phpmyadmin password. The original (corrupted) password remain unchanged even if the username was changed (for example, from 'phpmyadmin' to 'pma').
The file /etc/dbconfig-common/phpmyadmin.conf is updated OK, but the new record in the table mysql/user is created with the same (truncated) password and the old record is still remaining in the table (without the user knowing), which increases the security vulnerability.

Jamie Strandboge (jdstrand)
security vulnerability: yes → no
visibility: private → public
Revision history for this message
Chuck Short (zulcss) wrote :

Thanks for the bug report, ill take a look at this for maverick.

Changed in dbconfig-common (Ubuntu):
importance: Undecided → Wishlist
status: New → Confirmed
Revision history for this message
Paul Gevers (paul-climbing) wrote :

Actually, it is not only the space character. I think dbconfig-common should make sure that passwords are escaped properly. However, phpmyadmin could add quotes to the config template, and only quotes would be a problem in the password (but probably make it fail instead of using a truncated password.

Bug Watch Updater (bug-watch-updater)
Changed in dbconfig-common (Debian):
status: Unknown → New
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dbconfig-common - 1.8.52

---------------
dbconfig-common (1.8.52) unstable; urgency=medium

  * Forgot to install dbconfig-common for the CI tests
  * Update French translation by Julien Patriarca (Closes: #789908)

 -- Paul Gevers <email address hidden> Fri, 26 Jun 2015 13:42:50 +0200

Changed in dbconfig-common (Ubuntu):
status: Confirmed → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in dbconfig-common (Debian):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.