The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

debian pppd chatscript (fwd)

To: security@debian.org
Subject: debian pppd chatscript (fwd)
From: John Goerzen <jgoerzen@southwind.net>
Date: Tue, 16 Dec 1997 08:26:13 -0600 (CST)
Delivered-to: security@debian.org
Resent-cc: recipient list not shown: ;
Resent-date: 16 Dec 1997 14:18:05 -0000
Resent-from: debian-private@lists.debian.org
Resent-message-id: <"DZttQB.A.-k.d2ol0"@debian>
Resent-sender: debian-private-request@lists.debian.org

Somebody please look at this, it seems rather serious to me.

-- 
John Goerzen
Southwind Internet Access, Inc. Technical Support
Business e-mail: jgoerzen@southwind.net

Personal e-mail: jgoerzen@complete.org
Wichita State University e-mail: jgoerzen@cs.twsu.edu
Developer, Debian GNU/Linux    <http://www.debian.org>

---------- Forwarded message ----------
Date: Mon, 15 Dec 1997 18:25:59 +0800
From: Stephen Hardman <hardguy@CONTINUITY.IT.NET.AU>
To: BUGTRAQ@netspace.org
Subject: debian pppd chatscript

This is a bit old, but someone else noticed this and then it
started happening on my machine.

The default logfile (/var/log/ppp.log) is world readable by default.

--- extract from /var/log/ppp.log ---

Dec 14 16:43:14 gateway chat[362]: ^Mlogin -- got it
Dec 14 16:43:14 gateway chat[362]: send (loginname^M)
Dec 14 16:43:15 gateway chat[362]: expect (word)
Dec 14 16:43:15 gateway chat[362]: : loginname^M
Dec 14 16:43:15 gateway chat[362]: Password -- got it
Dec 14 16:43:15 gateway chat[362]: send (MyPassWoRd^M)

--- end extract ---

So it seems it is not hiding the sent password as it should
do when the password is preceeded by \q in /etc/ppp.chatscript.

       \q     Suppress writing the string to the SYSLOG file. The
              string  ??????  is written to the log in its place.
              (not valid in expect.) -- chat(8)

I should probably send it off to a debian bug/security
list as well... but it's quite relavent here.

This didn't happen until I recently reinstalled Debian.

versions are -
ii  ppp             2.2.0f-23      Point-to-Point Protocol (PPP) daemon.
pppd version 2.2 patch level 0
Debian 1.3

My settings are _exactly_ the same, am I missing something?

(Thanks to Andrew McArdle for first pointing it out)

Stephen Hardman
hardguy@it.net.au


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Follow-Ups:
- Re: debian pppd chatscript (fwd)
  - From: Martin Mitchell <martin@debian.org>
- Re: debian pppd chatscript (fwd)
  - From: Philip Hands <phil@hands.com>

Prev by Date: RE: libc6 security holes? (was Re: Buffer Overruns in RedHat 5.0 (fwd))
Next by Date: Re: debian pppd chatscript (fwd)
Previous by thread: RE: libc6 security holes? (was Re: Buffer Overruns in RedHat 5.0 (fwd))
Next by thread: Re: debian pppd chatscript (fwd)
Index(es):
- Date
- Thread