Bug#355541: gossip: world-readable password

Emmanuel Beffara manu at beffara.org
Mon Mar 6 10:49:51 UTC 2006


Package: gossip
Version: 0.10.1-1
Severity: grave
Tags: security
Justification: user security hole


In Gossip version 0.10, the passwords are stored in clear text in
~/.gnome2/Gossip/accounts.xml, which is a world-readable file. Passwords
should at least be stored in gnome2-private, or in a file with restricted
rights, or using some encryption, or any combination of these.


-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (900, 'testing'), (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15-1-686
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)

Versions of packages gossip depends on:
ii  gconf2                   2.12.1-9        GNOME configuration database syste
ii  libc6                    2.3.5-13        GNU C Library: Shared libraries an
ii  libgconf2-4              2.12.1-9        GNOME configuration database syste
ii  libglade2-0              1:2.5.1-2       library to load .glade files at ru
ii  libglib2.0-0             2.8.6-1         The GLib library of C routines
ii  libgnome2-0              2.12.0.1-5      The GNOME 2 library - runtime file
ii  libgnomeui-0             2.12.1-1        The GNOME 2 libraries (User Interf
ii  libgnomevfs2-0           2.12.2-5        GNOME virtual file-system (runtime
ii  libgtk2.0-0              2.8.12-1        The GTK+ graphical user interface 
ii  libloudmouth1-0          1.0.1-4         Lightweight C Jabber library
ii  libpango1.0-0            1.10.3-1        Layout and rendering of internatio
ii  libpopt0                 1.7-5           lib for parsing cmdline parameters
ii  libx11-6                 6.9.0.dfsg.1-4  X Window System protocol client li
ii  libxml2                  2.6.23.dfsg.2-2 GNOME XML library
ii  libxslt1.1               1.1.15-4        XSLT processing library - runtime 
ii  libxss1                  6.9.0.dfsg.1-4  X Screen Saver client-side library

gossip recommends no packages.

-- no debconf information





More information about the Pkg-gnome-maintainers mailing list