Slashdot Mirror


Root Password Readable in Clear Text with Ubuntu

BBitmaster writes "An extremely critical bug and security threat was discovered in Ubuntu Breezy Badger 5.10 earlier today by a visitor on the Ubuntu Forums that allows anyone to read the root password simply by opening an installer log file. Apparently the installer fails to clean its log files and leaves them readable to all users. The bug has been fixed, and only affects The 5.10 Breezy Badger release. Ubuntu users, be sure to get the patch right away."

3 of 520 comments (clear)

  1. Security Audit by RunFatBoy.net · · Score: 0, Redundant

    A thanks to Teotihacan for finding this. I'm sure that eventually several sysadmins would have failed security audits because of this. -- Jim http://www.runfatboy.net/

  2. okay by gcnaddict · · Score: -1, Redundant

    A patch in 2 hours for a massive security hole in an OS, on a sunday as mentioned earlier. Class, let's do a comparison:

    Ubuntu devs fix a massive hole in a few hours, tops
    Microsoft devs fix a massive hole (WMF security bug) in two weeks-ish...

    Which group put more people at risk and why? I want a 5000 word essay by this thursday explaining your views. :P

    --
    Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
  3. [easier] Solution by tpgp · · Score: 0, Redundant
    Open a terminal and type:
    sudo grep -r <my password> /var/log
    (if it returns your password, you're vulnerable)
    $ sudo apt-get update
    $ sudo passwd base-config
    (wait)
    $ sudo grep -r <my password> /var/log
    (if it doesn't return your password, you're no longer vulnerable)

    On a side note - this is pretty bad - sure a lot of people are going to say this is local privilige escalation only, but combined with any other exploit, this allows an attacker root access.

    This is the reason I use Debian for anything serious....
    --
    My pics.