[Debian-med-packaging] Bug#833885: gbrowse: ships a deterministic/predictable OpenID constumer secret
Chris Lamb
lamby at debian.org
Tue Aug 9 21:47:45 UTC 2016
Package: gbrowse
Version: 2.54+dfsg-7
Severity: normal
Tags: security
User: reproducible-builds at lists.alioth.debian.org
Usertags: randomness
X-Debbugs-Cc: reproducible-builds at lists.alioth.debian.org
Hi,
gbrowse ships an OpenID consumer secret in /usr/share/perl5/GBrowse/ConfigData.pm:
{
'OpenIDConsumerSecret' => '639098210478536',
'cgibin' => '/usr/lib/cgi-bin/gbrowse',
'conf' => '/etc/gbrowse',
'config_done' => 1,
'databases' => '/var/lib/gbrowse/databases',
'htdocs' => '/usr/share/gbrowse/htdocs',
'installetc' => 'y',
'persistent' => '/var/lib/gbrowse',
'registration_done' => '1',
'tmp' => '/var/cache/gbrowse'
},
The number is randomly generated a build-time, meaning that everyone installing
that particular .deb gets the same "secret". The security implications of this
should be obvious, hence the tag.
(In addition, it also means the package is not reproducible.)
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby at debian.org / chris-lamb.co.uk
`-
More information about the Debian-med-packaging
mailing list