Bug#747428: [xbmc] passwords are stored in plain xml file
Hi, CVE-2014-3800 was assigned now for the issue that mode 0644 is used for the file containing the password, see [1]. [1] http://www.openwall.com/lists/oss-security/2014/05/20/5 Regards, Salvatore ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Processed: Re: Bug#747428: [xbmc] passwords are stored in plain xml file
Processing control commands: found -1 2:11.0~git20120510.82388d5-1 Bug #747428 [xbmc] [xbmc] passwords are stored in plain xml file Marked as found in versions xbmc/2:11.0~git20120510.82388d5-1. tags -1 confirmed Bug #747428 [xbmc] [xbmc] passwords are stored in plain xml file Added tag(s) confirmed. -- 747428: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=747428 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#747428: [xbmc] passwords are stored in plain xml file
Control: found -1 2:11.0~git20120510.82388d5-1 Control: tags -1 confirmed 2014-05-08 16:41 GMT+02:00 Adrien Grellier pe...@adrieng.fr: Package: xbmc Version: 2:13.0+dfsg1-1 Severity: grave Tags: security X-Debbugs-CC: secure-testing-t...@lists.alioth.debian.org Hi, I just add a webdav source in xbmc, so it asks for a username and password. But these informations are then stored in a plain XML file: ~/.xbmc/userdata/sources.xml, moreover a world readable file: adrien ~/ $ ls -l .xbmc/userdata/sources.xml -rw-r--r-- 1 adrien adrien 1006 mai8 16:34 .xbmc/userdata/sources.xml This file should be at least chmod 700 and the users should be informed that the password will be stored in a unsafe manner. Regards, Adrien --- System information. --- Architecture: amd64 Kernel: Linux 3.13-1-amd64 Debian Release: jessie/sid 900 testing security.debian.org 900 testing ftp.fr.debian.org 800 unstableftp.fr.debian.org 700 experimentalftp.fr.debian.org --- Package information. --- Depends(Version) | Installed -+-=== xbmc-bin (= 2:13.0+dfsg1-1) | 2:13.0+dfsg1-1 xbmc-bin ( 2:13.0+dfsg1-1.1~) | 2:13.0+dfsg1-1 mesa-utils | 8.1.0-2+b1 x11-utils| 7.7+1 fonts-dejavu-core| 2.34-1 OR ttf-dejavu-core | 2.34-1 fonts-roboto | 1:4.3-3 libjs-jquery | 1.7.2+dfsg-3 libjs-iscroll| 5.1.1+dfsg1-1 python-imaging | 2.3.0-2 python:any (= 2.7.5-5~) | Package's Recommends field is empty. Package's Suggests field is empty. ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
Bug#747428: [xbmc] passwords are stored in plain xml file
Package: xbmc Version: 2:13.0+dfsg1-1 Severity: grave Tags: security X-Debbugs-CC: secure-testing-t...@lists.alioth.debian.org Hi, I just add a webdav source in xbmc, so it asks for a username and password. But these informations are then stored in a plain XML file: ~/.xbmc/userdata/sources.xml, moreover a world readable file: adrien ~/ $ ls -l .xbmc/userdata/sources.xml -rw-r--r-- 1 adrien adrien 1006 mai8 16:34 .xbmc/userdata/sources.xml This file should be at least chmod 700 and the users should be informed that the password will be stored in a unsafe manner. Regards, Adrien --- System information. --- Architecture: amd64 Kernel: Linux 3.13-1-amd64 Debian Release: jessie/sid 900 testing security.debian.org 900 testing ftp.fr.debian.org 800 unstableftp.fr.debian.org 700 experimentalftp.fr.debian.org --- Package information. --- Depends(Version) | Installed -+-=== xbmc-bin (= 2:13.0+dfsg1-1) | 2:13.0+dfsg1-1 xbmc-bin ( 2:13.0+dfsg1-1.1~) | 2:13.0+dfsg1-1 mesa-utils | 8.1.0-2+b1 x11-utils| 7.7+1 fonts-dejavu-core| 2.34-1 OR ttf-dejavu-core | 2.34-1 fonts-roboto | 1:4.3-3 libjs-jquery | 1.7.2+dfsg-3 libjs-iscroll| 5.1.1+dfsg1-1 python-imaging | 2.3.0-2 python:any (= 2.7.5-5~) | Package's Recommends field is empty. Package's Suggests field is empty. signature.asc Description: This is a digitally signed message part. ___ pkg-multimedia-maintainers mailing list pkg-multimedia-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers