[Pkg-owncloud-maintainers] Bug#737609: owncloud-client: owncloud password stored in world readable config file in plain-text

Jogi Hofmueller jogi at mur.at
Tue Feb 4 08:50:40 UTC 2014

Package: owncloud-client
Version: 1.5.0+dfsg-4
Severity: important

Dear Maintainer,

owncloud-client stores the owncloud user password in the world readable file
..local/share/data/ownCloud/owncloud.cfg in plain-text.  According to
http://owncloud.org/sync-clients/releases/ this should not be the case since
version 1.0.1 but still exists in the current Debian package 1.5.0+dfsg-4

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.12-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages owncloud-client depends on:
ii  libc6                 2.17-97
ii  libgcc1               1:4.8.2-14
ii  libneon27-gnutls      0.30.0-1
ii  libocsync0            0.91.4-1
ii  libowncloudsync0      1.5.0+dfsg-4
ii  libqt4-dbus           4:4.8.5+git209-g718fae5+dfsg-1
ii  libqt4-network        4:4.8.5+git209-g718fae5+dfsg-1
ii  libqt4-sql            4:4.8.5+git209-g718fae5+dfsg-1
ii  libqt4-sql-sqlite     4:4.8.5+git209-g718fae5+dfsg-1
ii  libqt4-xml            4:4.8.5+git209-g718fae5+dfsg-1
ii  libqt4-xmlpatterns    4:4.8.5+git209-g718fae5+dfsg-1
ii  libqtcore4            4:4.8.5+git209-g718fae5+dfsg-1
ii  libqtgui4             4:4.8.5+git209-g718fae5+dfsg-1
ii  libqtkeychain0        0.1.0-2
ii  libqtwebkit4          2.2.1-7
ii  libstdc++6            4.8.2-14
ii  owncloud-client-l10n  1.5.0+dfsg-4

owncloud-client recommends no packages.

owncloud-client suggests no packages.

-- no debconf information

More information about the Pkg-owncloud-maintainers mailing list