Package: gbrowse
Version: 2.54+dfsg-7
Severity: normal
Tags: security
User: reproducible-builds@lists.alioth.debian.org
Usertags: randomness
X-Debbugs-Cc: reproducible-builds@lists.alioth.debian.org

Hi,

gbrowse ships an OpenID consumer secret in 
/usr/share/perl5/GBrowse/ConfigData.pm:

       {
         'OpenIDConsumerSecret' => '639098210478536',
         'cgibin' => '/usr/lib/cgi-bin/gbrowse',
         'conf' => '/etc/gbrowse',
         'config_done' => 1,
         'databases' => '/var/lib/gbrowse/databases',
         'htdocs' => '/usr/share/gbrowse/htdocs',
         'installetc' => 'y',
         'persistent' => '/var/lib/gbrowse',
         'registration_done' => '1',
         'tmp' => '/var/cache/gbrowse'
       },


The number is randomly generated a build-time, meaning that everyone installing
that particular .deb gets the same "secret". The security implications of this
should be obvious, hence the tag.

(In addition, it also means the package is not reproducible.)


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      la...@debian.org / chris-lamb.co.uk
       `-

_______________________________________________
Reproducible-builds mailing list
Reproducible-builds@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds

Reply via email to