Debian Bug report logs - #337830
[CVE-2006-2192] World-readable config file contains password

version graph

Package: kphone; Maintainer for kphone is Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>;

Reported by: Sven Dreyer <sven@dreyer-net.de>

Date: Sun, 6 Nov 2005 20:03:12 UTC

Severity: serious

Tags: patch, security

Found in versions kphone/1:4.2-3, kphone/1:4.1.0-2

Fixed in versions kphone/1:4.2-6, kphone/1:4.1.0-2sarge1

Done: Filipus Klutiero <chealer@vif.com>

Bug is archived. No further changes may be made.

Forwarded to kphone-devel@lists.sourceforge.net, kphone@wirlab.net

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#337830; Package kphone. Full text and rfc822 format available.

Acknowledgement sent to Sven Dreyer <sven@dreyer-net.de>:
New Bug report received and forwarded. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Sven Dreyer <sven@dreyer-net.de>
To: submit@bugs.debian.org
Subject: Security problem in kphone
Date: Sun, 06 Nov 2005 20:11:54 +0100
Package: kphone
Version: 4.2-3
Severity: serious

I think I have found a security flaw in kphone:
it creates ~/.qt/kphonerc world-readable! This file contains the user's
SIP-password and so on, so I guess this is a bad thing, because the
~/.qt dir itself is by default also readable by everybody.

I removed the whole ~/.qt dir and restarted kphone: same behaviour.

Regards,
Sven





Tags added: security Request was from Helge Kreutzmann <kreutzm@itp.uni-hannover.de> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Mark Purcell <msp@debian.org>:
You have marked Bug as forwarded. Full text and rfc822 format available.

Message #10 received at 337830-forwarded@bugs.debian.org (full text, mbox):

From: Mark Purcell <msp@debian.org>
To: kphone-devel@lists.sourceforge.net, kphone@wirlab.net
Cc: 337830-forwarded@bugs.debian.org, Sven Dreyer <sven@dreyer-net.de>
Subject: Fwd: Bug#337830: Security problem in kphone
Date: Sun, 6 Nov 2005 22:34:29 +0000
Hey kphone-devel,

Find enclosed a security bug report about kphone from a Debian user.

This and other kphone issues in Debian can be found at 
http://bugs.debian.org/kphone.

Mark

----------  Forwarded Message  ----------

Subject: Bug#337830: Security problem in kphone
Date: Sunday 06 November 2005 19:11
From: Sven Dreyer <sven@dreyer-net.de>
To: submit@bugs.debian.org

Package: kphone
Version: 4.2-3
Severity: serious

I think I have found a security flaw in kphone:
it creates ~/.qt/kphonerc world-readable! This file contains the user's
SIP-password and so on, so I guess this is a bad thing, because the
~/.qt dir itself is by default also readable by everybody.

I removed the whole ~/.qt dir and restarted kphone: same behaviour.

Regards,
Sven




_______________________________________________
Pkg-voip-maintainers mailing list
Pkg-voip-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-voip-maintainers

-------------------------------------------------------



Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#337830; Package kphone. Full text and rfc822 format available.

Acknowledgement sent to Ludovic Drolez <ldrolez@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #15 received at 337830@bugs.debian.org (full text, mbox):

From: Ludovic Drolez <ldrolez@debian.org>
To: 337830@bugs.debian.org
Subject: Re: Security problem in kphone
Date: Fri, 03 Feb 2006 21:26:06 +0100
Hi !

I cannot reproduce your bug. With my settings kphonerc is created with 664
rights, since my umask is set to 002.

I think that you have your umask set to 000. Which value returns 'umask ?'

Regards,

-- 
Ludovic Drolez.

http://www.palmopensource.com       - The PalmOS Open Source Portal
http://www.drolez.com      - Personal site - Linux and PalmOS stuff



Message sent on to Sven Dreyer <sven@dreyer-net.de>:
Bug#337830. Full text and rfc822 format available.

Information stored:
Bug#337830; Package kphone. Full text and rfc822 format available.

Acknowledgement sent to Sven Dreyer <sven@dreyer-net.de>:
Extra info received and filed, but not forwarded. Full text and rfc822 format available.

Message #23 received at 337830-quiet@bugs.debian.org (full text, mbox):

From: Sven Dreyer <sven@dreyer-net.de>
To: Ludovic Drolez <ldrolez@debian.org>, 337830-quiet@bugs.debian.org
Subject: Re: Bug#337830: Security problem in kphone
Date: Sat, 04 Feb 2006 10:49:09 +0100
Hi Ludovic,

Ludovic Drolez schrieb:
> I cannot reproduce your bug. With my settings kphonerc is created with 664
> rights, since my umask is set to 002.
> 
> I think that you have your umask set to 000. Which value returns 'umask ?'

test@sven-desktop:~$ umask
0022
test@sven-desktop:~$ ls -l .qt/kphonerc
-rw-r--r--  1 test test 130 2006-02-04 09:57 .qt/kphonerc
test@sven-desktop:~$

But that is the problem: kphonerc is world-_readable_ and it contains
the username and password in clear text.

Umask value should not be applied in this case, the permissions on
kphonerc should always be 0600 since this file contains sensitive data.

Regards,
Sven



Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>:
Bug#337830; Package kphone. Full text and rfc822 format available.

Acknowledgement sent to Ludovic Drolez <ldrolez@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #28 received at 337830@bugs.debian.org (full text, mbox):

From: Ludovic Drolez <ldrolez@debian.org>
To: Sven Dreyer <sven@dreyer-net.de>, Klaus Fleischmann <kgfleischmann@t-online.de>
Cc: 337830@bugs.debian.org
Subject: Re: Bug#337830: Security problem in kphone
Date: Sat, 04 Feb 2006 23:07:39 +0100
[Message part 1 (text/plain, inline)]

Sven Dreyer wrote:
> Hi Ludovic,
> 
> Ludovic Drolez schrieb:
> 
>>I cannot reproduce your bug. With my settings kphonerc is created with 664
>>rights, since my umask is set to 002.
>>
>>I think that you have your umask set to 000. Which value returns 'umask ?'
> 
> 
> test@sven-desktop:~$ umask
> 0022
> test@sven-desktop:~$ ls -l .qt/kphonerc
> -rw-r--r--  1 test test 130 2006-02-04 09:57 .qt/kphonerc
> test@sven-desktop:~$
> 
> But that is the problem: kphonerc is world-_readable_ and it contains
> the username and password in clear text.
> 
> Umask value should not be applied in this case, the permissions on
> kphonerc should always be 0600 since this file contains sensitive data.
> 

Ok. I've added 'umask(077)' in kphone.cpp, near the start of
KPhone::KPhone(), and it does the trick.

Klaus, since I'm not a Qt expert, should I use the unix umask or is there a
Qt equivalent ?

Regards,

-- 
Ludovic Drolez.

http://www.palmopensource.com       - The PalmOS Open Source Portal
http://www.drolez.com      - Personal site - Linux and PalmOS stuff
[kphone.cpp.diff (text/plain, inline)]
--- kphone.cpp.orig	2005-06-21 13:14:49.000000000 +0200
+++ kphone.cpp	2006-02-04 22:49:19.000000000 +0100
@@ -1,5 +1,8 @@
 #include <stdio.h>
 #include <stdlib.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+
 #include <qtimer.h>
 #include <qsettings.h>
 #include <qmenubar.h>
@@ -32,6 +35,8 @@
 		userPrefix = "_" + prefix + "_";
 	}
 	QSettings settings;
+	
+	umask(077);
 	Sip::setLocalAddress( settings.readEntry(
 		"/kphone/dissipate_addr", Sip::getLocalAddress() ) );
 	QString socketStr = settings.readEntry( "/kphone/General/SocketMode", "UDP" );

Tags added: patch Request was from Ludovic <ldrolez@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Mark Purcell <msp@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Sven Dreyer <sven@dreyer-net.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #35 received at 337830-close@bugs.debian.org (full text, mbox):

From: Mark Purcell <msp@debian.org>
To: 337830-close@bugs.debian.org
Subject: Bug#337830: fixed in kphone 1:4.2-6
Date: Mon, 17 Apr 2006 05:47:22 -0700
Source: kphone
Source-Version: 1:4.2-6

We believe that the bug you reported is fixed in the latest version of
kphone, which is due to be installed in the Debian FTP archive:

kphone_4.2-6.diff.gz
  to pool/main/k/kphone/kphone_4.2-6.diff.gz
kphone_4.2-6.dsc
  to pool/main/k/kphone/kphone_4.2-6.dsc
kphone_4.2-6_i386.deb
  to pool/main/k/kphone/kphone_4.2-6_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 337830@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mark Purcell <msp@debian.org> (supplier of updated kphone package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 17 Apr 2006 12:17:45 +0100
Source: kphone
Binary: kphone
Architecture: source i386
Version: 1:4.2-6
Distribution: unstable
Urgency: low
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Mark Purcell <msp@debian.org>
Description: 
 kphone     - Voice over IP (VoIP) phone application
Closes: 337830 357959 361492
Changes: 
 kphone (1:4.2-6) unstable; urgency=low
 .
   [ Kilian Krause ]
   * Add fix to compile with gcc4.1. (Closes: #357959)
   * Lower build-depends on libqt3-mt-dev to ease backports to Sarge.
 .
   [ Mark Purcell ]
   * Remove dpatch Build-Depends
   * Update Build-Depends
     - FTBFS on kfreebsd-amd64: unsatisfied Build-Depends (Closes: #361492)
   * Add debian/patches/umask.diff
     - Security problem in kphone (Closes: #337830)
Files: 
 c1a1080084887cefac3b6755fa8c90c1 888 kde optional kphone_4.2-6.dsc
 cb73fc220ff9e1e6030838279c6e085d 5341 kde optional kphone_4.2-6.diff.gz
 2d8b7d2df27ed76aef8a96a26d9c490a 422218 kde optional kphone_4.2-6_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEQ4vtoCzanz0IthIRApCEAJ9LFs6uIZ4CEBgVcmUh7lf9ggW7FwCfZP3Y
gcXQ8YI98RyITdBfcYsTilI=
=p/+b
-----END PGP SIGNATURE-----




Changed Bug title. Request was from Filipus Klutiero <chealer@vif.com> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as not found in version 4.2-3. Request was from Filipus Klutiero <chealer@vif.com> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as found in version 1:4.2-3. Request was from Filipus Klutiero <chealer@vif.com> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as found in version 1:4.1.0-2. Request was from Filipus Klutiero <chealer@vif.com> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as fixed in version 1:4.1.0-2sarge1, send any further explanations to Sven Dreyer <sven@dreyer-net.de> Request was from Filipus Klutiero <chealer@vif.com> to control@bugs.debian.org. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jun 2007 02:07:16 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 12:17:32 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.