Bug#361913: linphone: passwords stored world-readable

Tue Apr 11 08:12:16 UTC 2006

Package: linphone
Version: 1.2.0-3
Severity: grave
Tags: security
Justification: user security hole

The accounts information, including CLEAR-TEXT passwords, is stored in
$HOME/.gnome2/linphone, which is by default world-readable. It should
be in $HOME/.gnome2_private/linphone (or any other path below
$HOME/.gnome2_private/), where it will be safe, since
$HOME/.gnome2_private/ is mode 0700.

sarge does not contain linphone.

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (200, 'experimental')
Architecture: i386 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15-deb1-64bit
Locale: LANG=fr_LU.UTF-8, LC_CTYPE=fr_LU.UTF-8 (charmap=UTF-8)

Versions of packages linphone depends on:
ii  libart-2.0-2             2.3.17-1        Library of functions for 2D graphi
ii  libatk1.0-0              1.10.3-1        The ATK accessibility toolkit
ii  libbonobo2-0             2.10.1-1        Bonobo CORBA interfaces library
ii  libbonoboui2-0           2.10.1-2        The Bonobo UI library
ii  libc6                    2.3.6-1         GNU C Library: Shared libraries an
ii  libcairo2                1.0.2-3         The Cairo 2D vector graphics libra
ii  libfontconfig1           2.3.2-2         generic font configuration library
ii  libgconf2-4              2.12.1-9        GNOME configuration database syste
ii  libglib2.0-0             2.8.6-1         The GLib library of C routines
ii  libgnome-keyring0        0.4.7-1         GNOME keyring services library
ii  libgnome2-0              2.12.0.1-5      The GNOME 2 library - runtime file
ii  libgnomecanvas2-0        2.12.0-2        A powerful object-oriented display
ii  libgnomeui-0             2.12.1-1        The GNOME 2 libraries (User Interf
ii  libgnomevfs2-0           2.12.2-6        GNOME virtual file-system (runtime
ii  libgtk2.0-0              2.8.12-1        The GTK+ graphical user interface 
ii  libice6                  6.9.0.dfsg.1-4  Inter-Client Exchange library
ii  liblinphone1             1.2.0-3         linphone web phone's library (supp
ii  liborbit2                1:2.12.4-1      libraries for ORBit2 - a CORBA ORB
ii  libosip2-3               2.2.2-2         Session Initiation Protocol (SIP) 
ii  libpanel-applet2-0       2.12.3-1        library for GNOME 2 panel applets
ii  libpango1.0-0            1.10.3-1        Layout and rendering of internatio
ii  libpopt0                 1.7-5           lib for parsing cmdline parameters
ii  libsm6                   6.9.0.dfsg.1-4  X Window System Session Management
ii  libx11-6                 6.9.0.dfsg.1-4  X Window System protocol client li
ii  libxcursor1              1.1.3-1         X cursor management library
ii  libxext6                 6.9.0.dfsg.1-4  X Window System miscellaneous exte
ii  libxi6                   6.9.0.dfsg.1-4  X Window System Input extension li
ii  libxinerama1             6.9.0.dfsg.1-4  X Window System multi-head display
ii  libxml2                  2.6.23.dfsg.2-2 GNOME XML library
ii  libxrandr2               6.9.0.dfsg.1-4  X Window System Resize, Rotate and
ii  libxrender1              1:0.9.0.2-1     X Rendering Extension client libra
ii  linphone-nox             1.2.0-3         web phone
ii  zlib1g                   1:1.2.3-9       compression library - runtime

linphone recommends no packages.

-- no debconf information