Bug#663341: scrobbler: should probably create session file with mode 0640
Leo 'costela' Antunes
costela at debian.org
Sat Mar 10 14:10:40 UTC 2012
Package: rhythmbox-plugins
Version: 2.95-1
Severity: normal
Tags: patch
Dear Maintainer,
Since the Last.fm session file[0] includes a session key for API usage,
it would probably make sense to create it mode 0640 instead of 0644.
Even though the API doesn't AFAIK provide access to sensitive
information (thus severity:normal), it can still be misused.
The attached patch should be all that's needed.
[0] ~/.local/share/rhythmbox/audioscrobbler/sessions
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'testing'), (150, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-1-amd64 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages rhythmbox-plugins depends on:
ii gir1.2-gconf-2.0 3.2.3-3
ii gir1.2-glib-2.0 1.31.20-1
ii gir1.2-gtk-3.0 3.2.3-1
ii gir1.2-peas-1.0 1.2.0-1
ii gir1.2-rb-3.0 2.95-1
ii gir1.2-webkit-3.0 1.6.3-2
ii libatk1.0-0 2.2.0-2
ii libc6 2.13-27
ii libcairo-gobject2 1.10.2-7
ii libcairo2 1.10.2-7
ii libclutter-1.0-0 1.8.4-1
ii libclutter-gst-1.0-0 1.4.6-1
ii libclutter-gtk-1.0-0 1.0.4-1
ii libcogl-pango0 1.8.2-1
ii libcogl5 1.8.2-1
ii libdmapsharing-3.0-2 2.9.14-1
ii libdrm2 2.4.30-1
ii libffi5 3.0.10-3
ii libfontconfig1 2.8.0-3.1
ii libfreetype6 2.4.8-1
ii libgconf2-4 3.2.3-3
ii libgdk-pixbuf2.0-0 2.24.1-1
ii libgirepository-1.0-1 1.31.20-1
ii libgl1-mesa-glx [libgl1] 7.11.2-1
ii libglib2.0-0 2.30.2-6
ii libgnome-keyring0 3.2.2-2
ii libgpod4 0.8.2-6
ii libgrilo-0.1-0 0.1.18-1
ii libgstreamer-plugins-base0.10-0 0.10.36-1
ii libgstreamer0.10-0 0.10.36-1
ii libgtk-3-0 3.2.3-1
ii libgudev-1.0-0 175-3.1
ii libimobiledevice2 1.1.1-3
ii libjson-glib-1.0-0 0.14.2-1
ii liblircclient0 0.9.0~pre1-1
ii libmtp9 1.1.2-2
ii libmusicbrainz3-6 3.0.2-2
ii libmx-1.0-2 1.4.2-1
ii libnotify4 0.7.4-1
ii libpango1.0-0 1.29.4-3
ii libpeas-1.0-0 1.2.0-1
ii librhythmbox-core5 2.95-1
ii libsoup-gnome2.4-1 2.36.1-1
ii libsoup2.4-1 2.36.1-1
ii libtdb1 1.2.9+git20120207-1
ii libtotem-plparser17 2.32.6-3
ii libusb-0.1-4 2:0.1.12-20
ii libx11-6 2:1.4.4-4
ii libxcomposite1 1:0.4.3-2
ii libxdamage1 1:1.1.3-2
ii libxext6 2:1.3.0-3
ii libxfixes3 1:5.0-4
ii libxi6 2:1.4.5-1
ii libxml2 2.7.8.dfsg-7
ii python 2.7.2-10
ii python-gnomekeyring 2.32.0+dfsg-1
ii python-mako 0.6.2-1
ii python2.7 2.7.3~rc1-1
ii rhythmbox 2.95-1
ii zeitgeist-core 0.8.2-1
ii zlib1g 1:1.2.6.dfsg-2
Versions of packages rhythmbox-plugins recommends:
ii nautilus-sendto 3.0.1-2
rhythmbox-plugins suggests no packages.
-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: audioscrobbler_session_private.patch
Type: text/x-diff
Size: 1008 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20120310/57730293/attachment-0003.patch>
More information about the pkg-gnome-maintainers
mailing list