[Pkg-owncloud-maintainers] Bug#737609: Bug#737609: owncloud-client: owncloud password stored in world readable config file in plain-text

Sandro Knauß bugs at sandroknauss.de
Wed Feb 12 16:40:00 UTC 2014 

Control: reassign -1 qtkeychain
Control: found -1 0.1.0-2
Control: notfound -1 1.5.0+dfsg-4
Control: forwarded -1 https://github.com/frankosterfeld/qtkeychain/issues/16

Hey,

> owncloud-client stores the owncloud user password in the world readable file
> ..local/share/data/ownCloud/owncloud.cfg in plain-text.  According to
> http://owncloud.org/sync-clients/releases/ this should not be the case
> since version 1.0.1 but still exists in the current Debian package
> 1.5.0+dfsg-4 (jessie/testing).

Actually the release file lies. oCC uses qtkeychain for storing passwords. And 
if this lib fails to store the password encrypted it falls back to store it in 
plain-text. I think the request is same as in upstream: 
https://github.com/frankosterfeld/qtkeychain/issues/16

regards,

Sandro

> 
> 
> 
> -- System Information:
> Debian Release: jessie/sid
>   APT prefers testing
>   APT policy: (990, 'testing'), (500, 'unstable')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 3.12-1-amd64 (SMP w/4 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> 
> Versions of packages owncloud-client depends on:
> ii  libc6                 2.17-97
> ii  libgcc1               1:4.8.2-14
> ii  libneon27-gnutls      0.30.0-1
> ii  libocsync0            0.91.4-1
> ii  libowncloudsync0      1.5.0+dfsg-4
> ii  libqt4-dbus           4:4.8.5+git209-g718fae5+dfsg-1
> ii  libqt4-network        4:4.8.5+git209-g718fae5+dfsg-1
> ii  libqt4-sql            4:4.8.5+git209-g718fae5+dfsg-1
> ii  libqt4-sql-sqlite     4:4.8.5+git209-g718fae5+dfsg-1
> ii  libqt4-xml            4:4.8.5+git209-g718fae5+dfsg-1
> ii  libqt4-xmlpatterns    4:4.8.5+git209-g718fae5+dfsg-1
> ii  libqtcore4            4:4.8.5+git209-g718fae5+dfsg-1
> ii  libqtgui4             4:4.8.5+git209-g718fae5+dfsg-1
> ii  libqtkeychain0        0.1.0-2
> ii  libqtwebkit4          2.2.1-7
> ii  libstdc++6            4.8.2-14
> ii  owncloud-client-l10n  1.5.0+dfsg-4
> 
> owncloud-client recommends no packages.
> 
> owncloud-client suggests no packages.
> 
> -- no debconf information
> 
> _______________________________________________
> Pkg-owncloud-maintainers mailing list
> Pkg-owncloud-maintainers at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-owncloud-maintai
> ners
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-owncloud-maintainers/attachments/20140212/c8d372a4/attachment.sig>

More information about the Pkg-owncloud-maintainers mailing list