Debian Security Advisory

DSA-1518-1 backup-manager -- programming error

Date Reported:

15 Mar 2008

Affected Packages:

backup-manager

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 439392.
In Mitre's CVE dictionary: CVE-2007-4656.

More information:

Micha Lenk discovered that backup-manager, a command-line backup tool, sends the password as a command line argument when calling a FTP client, which may allow a local attacker to read this password (which provides access to all backed-up files) from the process listing.

For the old stable distribution (sarge), this problem has been fixed in version 0.5.7-1sarge2.

For the stable distribution (etch), this problem has been fixed in version 0.7.5-4.

For the unstable distribution (sid), this problem has been fixed in version 0.7.6-3.

We recommend that you upgrade your backup-manager package.

Fixed in:

Debian GNU/Linux 3.1 (sarge)

Source:: http://security.debian.org/pool/updates/main/b/backup-manager/backup-manager_0.5.7-1sarge2.dsc; http://security.debian.org/pool/updates/main/b/backup-manager/backup-manager_0.5.7.orig.tar.gz; http://security.debian.org/pool/updates/main/b/backup-manager/backup-manager_0.5.7-1sarge2.diff.gz
Architecture-independent component:: http://security.debian.org/pool/updates/main/b/backup-manager/backup-manager_0.5.7-1sarge2_all.deb

Debian GNU/Linux 4.0 (etch)

Source:: http://security.debian.org/pool/updates/main/b/backup-manager/backup-manager_0.7.5-4.dsc; http://security.debian.org/pool/updates/main/b/backup-manager/backup-manager_0.7.5.orig.tar.gz; http://security.debian.org/pool/updates/main/b/backup-manager/backup-manager_0.7.5-4.diff.gz
Architecture-independent component:: http://security.debian.org/pool/updates/main/b/backup-manager/backup-manager-doc_0.7.5-4_all.deb; http://security.debian.org/pool/updates/main/b/backup-manager/backup-manager_0.7.5-4_all.deb

MD5 checksums of the listed files are available in the original advisory.