Bug#361913: linphone: patch for "passwords stored world-readable"

Simon Morlat simon.morlat at linphone.org
Tue May 16 08:30:41 UTC 2006 

Hello,

Thanks a lot for the patch. It is merged in CVS.

Simon


Le Lundi 15 Mai 2006 00:41, Alec Berryman a écrit :
> Package: linphone
> Version: 1.3.3-1
> Followup-For: Bug #361913
>
> Linphone also stores passwords in ~/.linphonerc.  That file may have
> been created group- or world-accessible because it was created with
> fopen(), which uses the user's umask.  See coreapi/lpconfig.c:211.  Both
> frontends use functions in coreapi/lpconfig.c to store configuration
> information, and do not implement separate read/parse/write functions.
>
> Per console/linphonec.c:739, linphone appears to be migrating to use
> ~/.linphonerc for both the console and GNOME client, so any discussion
> of ~/.gnome2_private vs gconf is probably moot.  Encrypting saved
> passwords is also not a good option; see
> http://gaim.sourceforge.net/plaintextpasswords.php for more
> information.
>
> The GNOME client does not appear to be using ~/.linphonerc as of
> 1.3.3-1; in gnome/linphone.c:344, the configuration file name is still
> ~/.gnome2/linphone.
>
> I believe that the attached dpatch corrects the issue of world-readable
> passwords.  When the configuration file is to be written, the user's
> umask is overridden so that the file will not be created group- or
> world-accessible.  Additionally, when parsing the configuration file on
> startup, it will forcibly set permissions to 600.  This may be too
> heavy-handed and it might be more appropriate to stat() and possibly
> emit a g_warning() to the user, but I thought it was better to require
> no user intervention.
>
> The patch applies and compiles correctly (when docs are removed from the
> build; see #365523).  I have tested the GNOME frontend, and
> ~/.gnome2/linphone is created correctly and is properly updated when it
> already exists.
>
>
> -- System Information:
> Debian Release: testing/unstable
>   APT prefers unstable
>   APT policy: (500, 'unstable')
> Architecture: i386 (i686)
> Shell:  /bin/sh linked to /bin/dash
> Kernel: Linux 2.6.16-alec-laptop
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
>
> Versions of packages linphone depends on:
> ii  libart-2.0-2               2.3.17-1      Library of functions for 2D
> graphi ii  libatk1.0-0                1.11.4-2      The ATK accessibility
> toolkit ii  libbonobo2-0               2.14.0-1      Bonobo CORBA
> interfaces library ii  libbonoboui2-0             2.14.0-2      The Bonobo
> UI library ii  libc6                      2.3.6-7       GNU C Library:
> Shared libraries ii  libcairo2                  1.0.4-2       The Cairo 2D
> vector graphics libra ii  libfontconfig1             2.3.2-5.1     generic
> font configuration library ii  libgconf2-4                2.14.0-1     
> GNOME configuration database syste ii  libglib2.0-0               2.10.2-2 
>     The GLib library of C routines ii  libgnome-keyring0          0.4.9-1  
>     GNOME keyring services library ii  libgnome2-0                2.14.1-2 
>     The GNOME 2 library - runtime file ii  libgnomecanvas2-0         
> 2.14.0-2      A powerful object-oriented display ii  libgnomeui-0          
>     2.14.1-1      The GNOME 2 libraries (User Interf ii  libgnomevfs2-0    
>         2.14.1-2      GNOME virtual file-system (runtime ii  libgtk2.0-0   
>             2.8.17-2      The GTK+ graphical user interface ii  libice6    
>                1:1.0.0-3     X11 Inter-Client Exchange library ii 
> liblinphone1               1.3.3-1       linphone web phone's library (supp
> ii  liborbit2                  1:2.14.0-1    libraries for ORBit2 - a CORBA
> ORB ii  libosip2-3                 2.2.2-3       Session Initiation
> Protocol (SIP) ii  libpanel-applet2-0         2.14.1-1      library for
> GNOME 2 panel applets ii  libpango1.0-0              1.12.1-3      Layout
> and rendering of internatio ii  libpopt0                   1.7-5        
> lib for parsing cmdline parameters ii  libsm6                     1:1.0.0-4
>     X11 Session Management library ii  libx11-6                   2:1.0.0-6
>     X11 client-side library ii  libxcursor1                1.1.5.2-5     X
> cursor management library ii  libxext6                   1:1.0.0-4     X11
> miscellaneous extension librar ii  libxi6                     1:1.0.0-5    
> X11 Input extension library ii  libxinerama1               1:1.0.1-4    
> X11 Xinerama extension library ii  libxml2                    2.6.24.dfsg-1
> GNOME XML library
> ii  libxrandr2                 2:1.1.0.2-4   X11 RandR extension library
> ii  libxrender1                1:0.9.0.2-4   X Rendering Extension client
> libra ii  linphone-nox               1.3.3-1       web phone
> ii  zlib1g                     1:1.2.3-11    compression library - runtime
>
> linphone recommends no packages.
>
> -- no debconf information

More information about the Pkg-voip-maintainers mailing list