Bug#1038139: debci-worker: Process leaks authentication data via amqp-tools

Thu, 15 Jun 2023 13:51:20 -0700 


Package: debci
Version: 3.6
Severity: serious
Tags: security
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>

Hi,

When using authentication in AMQP connections, the username and password
supplied in the --url option to amqp-consume resp. amqp-publish are
exposed in the proces list, see #1037322:

  $ pgrep -a ampq-consume
  62287 amqp-consume --url amqp://user:pass@192.168.0.1 --queue=myqueue

A patch has been accepted upstream to read the username and password
from a file. I assume this will make its way into ampq-tools soon.

Unless I'm mistaken, debci will need to be updated for this, e.g. by
adding a debci_amqp_pwfile config option + NEWS entry suggesting that
people migrate to this new option. I'd be happy to file an MR for this,
once ampq-tools has been fixed.

Best,
Christian


-- System Information:
Debian Release: 11.7
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable-security'),
(500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-0.deb11.7-amd64 (SMP w/24 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages debci depends on:
ii  adduser                     3.118
pn  amqp-tools                  <none>
ii  curl                        7.88.1-7~bpo11+2
ii  dctrl-tools                 2.24-3+b1
ii  debian-archive-keyring      2021.1.1+deb11u1
ii  debootstrap                 1.0.128+nmu2~bpo11+1
ii  devscripts                  2.22.2~bpo11+1
pn  distro-info                 <none>
ii  fonts-font-awesome          5.0.10+really4.7.0~dfsg-4.1
ii  jq                          1.6-2.1
ii  libjs-bootstrap             3.4.1+dfsg-2
ii  libjs-jquery                3.5.1+dfsg+~3.5.5-7
pn  libjs-jquery-flot           <none>
pn  moreutils                   <none>
ii  netcat-openbsd              1.217-3
pn  parallel                    <none>
ii  patchutils                  0.4.2-1
pn  retry                       <none>
ii  rsync                       3.2.7-1~bpo11+1
ii  ruby                        1:2.7+2
pn  ruby-activerecord           <none>
pn  ruby-bunny                  <none>
pn  ruby-erubi                  <none>
pn  ruby-kaminari-activerecord  <none>
pn  ruby-pg                     <none>
pn  ruby-sinatra                <none>
pn  ruby-sinatra-contrib        <none>
pn  ruby-sqlite3                <none>
pn  ruby-thor                   <none>
pn  sudo                        <none>

Versions of packages debci recommends:
ii  systemd-timesyncd [time-daemon]  252.5-2~bpo11+1

Versions of packages debci suggests:
pn  apt-cacher-ng  <none>

Reply via email to