[Pkg-kde-extras] Bug#416058: Stores passwords even if the user
choses not to
Bastian Venthur
venthur at debian.org
Sat Mar 24 14:56:11 UTC 2007
Package: kvpnc
Version: 0.8.6.1-1
Severity: normal
Tags: security
--- Please enter the report below this line. ---
When using kvpnc with pptp you have the option *not* to store the
password and username. But even when you chose this option, kvpnc stores
the username in /etc/ppp/peers/kvpnc.foo and the password in
/etc/ppp/chap-secrets
Although the chap-secrets is just readable by root/root, the passwords
are stored in cleartext in this file so pretending to not storing the
passwords but storing them behind the back of the user is a security
concern.
If you want to reporduce this bug, please keep in mind that the
passwords are stored in chap-secrets after you tried to connect. So you
must connect before the passwords are stored.
I leave it to you to adjust the severity of this bug.
Cheers,
Bastian
--- System information. ---
Architecture: i386
Kernel: Linux 2.6.18-4-686
Debian Release: 4.0
500 unstable www.debian-multimedia.org
500 unstable ftp.de.debian.org
1 experimental ftp.de.debian.org
--- Package information. ---
Depends (Version) | Installed
=====================================-+-================
kdelibs4c2a (>= 4:3.5.4-1) | 4:3.5.5a.dfsg.1-6
libc6 (>= 2.3.6-6) | 2.3.6.ds1-13
libgcc1 (>= 1:4.1.1-12) | 1:4.1.1-21
libgcrypt11 (>= 1.2.2) | 1.2.3-2
libice6 (>= 1:1.0.0) | 1:1.0.1-2
libpng12-0 (>= 1.2.8rel) | 1.2.15~beta5-1
libqt3-mt (>= 3:3.3.6) | 3:3.3.7-3
libsm6 | 1:1.0.1-3
libstdc++6 (>= 4.1.1-12) | 4.1.1-21
libx11-6 | 2:1.0.3-6
libxext6 | 1:1.0.1-2
zlib1g (>= 1:1.2.1) | 1:1.2.3-13
menu | 2.1.33
net-tools | 1.60-17
psmisc | 22.3-1
kdebase-bin | 4:3.5.5a.dfsg.1-6
OR gksu |
OR sux |
module-init-tools | 3.3-pre4-2
OR modutils |
--
Bastian Venthur http://venthur.de
Debian Developer venthur at debian org
More information about the pkg-kde-extras
mailing list