From nobody@FreeBSD.org  Thu May 31 17:04:04 2012
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 00B801065673
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 31 May 2012 17:04:04 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id DFB878FC19
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 31 May 2012 17:04:03 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id q4VH42ZQ017660
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 31 May 2012 17:04:02 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id q4VH42p4017659;
	Thu, 31 May 2012 17:04:02 GMT
	(envelope-from nobody)
Message-Id: <201205311704.q4VH42p4017659@red.freebsd.org>
Date: Thu, 31 May 2012 17:04:02 GMT
From: Brian Carlson <brian.carlson@cpanel.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: mysqlcheck (databases/mysql51-client) does not obscure password on command line
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         168504
>Category:       ports
>Synopsis:       mysqlcheck (databases/mysql51-client) does not obscure password on command line
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    ale
>State:          feedback
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu May 31 17:10:02 UTC 2012
>Closed-Date:    
>Last-Modified:  Tue Jun  5 16:10:19 UTC 2012
>Originator:     Brian Carlson
>Release:        8.2
>Organization:
cPanel Inc
>Environment:
FreeBSD free82-x64-113021.qa.cpanel.net 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Thu Feb 17 02:41:51 UTC 2011     root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64
>Description:
When running mysqlcheck from mysql_upgrade, a password is passed to mysqlcheck on the command line with the -p option.  There is code to obscure this password once it is parsed, but this code does not work on FreeBSD.  The technique it uses is writing over the appropriate argv entry with the character "x"; while this works fine on Linux, I believe this must use setproctitle(3) to work on FreeBSD.

It would be nice if the port were patched to fix this problem. I can verify using the latest ports repository that no patch is applied to MySQL to fix this problem.
>How-To-Repeat:
Run mysql_upgrade in one terminal while running "while true ; do ps auxwwwfd | grep mysqlchec[k] ; done" in another; you will see the database's root password listed.
>Fix:
Patch mysqlcheck to use setproctitle(3).

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->ale 
Responsible-Changed-By: scheidell 
Responsible-Changed-When: Thu May 31 18:57:03 UTC 2012 
Responsible-Changed-Why:  
Over to maintainer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=168504 
State-Changed-From-To: open->feedback 
State-Changed-By: ale 
State-Changed-When: Fri Jun 1 08:48:40 UTC 2012 
State-Changed-Why:  
You are right, but the issue is not limited to mysqlcheck. 
To use setproctitle() I think we should put a fix inside 
handle_options() in ./mysys/my_getopt.c 
Are you going to provide a patch for it? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=168504 

From: "brian m. carlson" <brian.carlson@cpanel.net>
To: bug-followup@FreeBSD.org,
 brian.carlson@cpanel.net
Cc:  
Subject: Re: ports/168504: mysqlcheck (databases/mysql51-client) does not obscure password on command line
Date: Tue, 5 Jun 2012 15:20:54 +0000

 I was not planning on providing a patch. This is something we noticed =
 here at cPanel on one of our FreeBSD test systems and I just thought I'd =
 report it upstream to y'all in hopes that it might be fixed.  Our =
 support for FreeBSD 8.2 is near end-of-life, so it's unlikely that we'll =
 get a chance to fix it ourselves and send a patch.=
>Unformatted:
