[DRE-maint] Bug#850858: diaspora-common: twitter_secret etc are stored in world-readable files

Julian Gilbey jdg at debian.org
Tue Jan 10 19:10:10 UTC 2017 

Package: diaspora-common
Version: 0.6.0.0+debian5
Severity: serious

Hi Pirate,

I believe this is a security hole, but will not affect every user of
the package, hence why I have set it to Severity: serious.

During the debconf setup, you are asked (if twitter etc are selected)
for your Twitter Key and Twitter Secret (and likewise for the other
services).  (It is not immediately clear what these mean; the debconf
questions could be improved on this point, I guess.  But that's not
the focus of this bug report.)

The secret (and possibly the key as well) should not be
world-readable, but they are stored in the world-readable file
/var/cache/debconf/config.dat.  They (or at least the Secret) need to
be flagged as being passwords in the template file (Type: password
rather than Type: string).

In addition, these data are then stored in the configuration file
/var/lib/diaspora-common/diaspora.conf
However, this file is also world-readable and needs to be readable by
only those system users who need to be able to have access to this
data (perhaps the diaspora user or group www-data?).

Best wishes,

   Julian

-- System Information:
Debian Release: stretch/sid
  APT prefers jessie
  APT policy: (500, 'jessie'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages diaspora-common depends on:
ii  adduser                                     3.115
ii  bc                                          1.06.95-9+b2
ii  ca-certificates                             20161130
ii  curl                                        7.51.0-1
ii  dbconfig-mysql                              2.0.7
ii  debconf [debconf-2.0]                       1.5.59
ii  default-mysql-server                        1.0.1
ii  exim4                                       4.88-2
ii  exim4-daemon-light [mail-transport-agent]   4.88-2
ii  lsb-base                                    9.20161125
ii  mariadb-server-10.0 [virtual-mysql-server]  10.0.28-2
ii  net-tools                                   1.60+git20161116.90da8a0-1
ii  nginx-full [nginx]                          1.10.2-3
ii  nodejs                                      4.6.1~dfsg-1
ii  postgresql                                  9.6+178
ii  rake                                        10.5.0-2
ii  redis-server                                3:3.2.6-1
ii  ruby                                        1:2.3.3
ii  ruby-rspec                                  3.5.0c3e0m0s0-1
ii  ruby2.1 [ruby-interpreter]                  2.1.5-4
ii  sudo                                        1.8.19-1
ii  ucf                                         3.0036

diaspora-common recommends no packages.

Versions of packages diaspora-common suggests:
ii  easy-rsa  2.2.2-2

-- debconf information excluded

More information about the Pkg-ruby-extras-maintainers mailing list