Report forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>: Bug#337830; Package kphone.
(full text, mbox, link).
Acknowledgement sent to Sven Dreyer <sven@dreyer-net.de>:
New Bug report received and forwarded. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
Package: kphone
Version: 4.2-3
Severity: serious
I think I have found a security flaw in kphone:
it creates ~/.qt/kphonerc world-readable! This file contains the user's
SIP-password and so on, so I guess this is a bad thing, because the
~/.qt dir itself is by default also readable by everybody.
I removed the whole ~/.qt dir and restarted kphone: same behaviour.
Regards,
Sven
Tags added: security
Request was from Helge Kreutzmann <kreutzm@itp.uni-hannover.de>
to control@bugs.debian.org.
(full text, mbox, link).
Reply sent to Mark Purcell <msp@debian.org>:
You have marked Bug as forwarded.
(full text, mbox, link).
To: kphone-devel@lists.sourceforge.net,
kphone@wirlab.net
Cc: 337830-forwarded@bugs.debian.org,
Sven Dreyer <sven@dreyer-net.de>
Subject: Fwd: Bug#337830: Security problem in kphone
Date: Sun, 6 Nov 2005 22:34:29 +0000
Hey kphone-devel,
Find enclosed a security bug report about kphone from a Debian user.
This and other kphone issues in Debian can be found at
http://bugs.debian.org/kphone.
Mark
---------- Forwarded Message ----------
Subject: Bug#337830: Security problem in kphone
Date: Sunday 06 November 2005 19:11
From: Sven Dreyer <sven@dreyer-net.de>
To: submit@bugs.debian.org
Package: kphone
Version: 4.2-3
Severity: serious
I think I have found a security flaw in kphone:
it creates ~/.qt/kphonerc world-readable! This file contains the user's
SIP-password and so on, so I guess this is a bad thing, because the
~/.qt dir itself is by default also readable by everybody.
I removed the whole ~/.qt dir and restarted kphone: same behaviour.
Regards,
Sven
_______________________________________________
Pkg-voip-maintainers mailing list
Pkg-voip-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-voip-maintainers
-------------------------------------------------------
Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>: Bug#337830; Package kphone.
(full text, mbox, link).
Acknowledgement sent to Ludovic Drolez <ldrolez@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
Hi !
I cannot reproduce your bug. With my settings kphonerc is created with 664
rights, since my umask is set to 002.
I think that you have your umask set to 000. Which value returns 'umask ?'
Regards,
--
Ludovic Drolez.
http://www.palmopensource.com - The PalmOS Open Source Portal
http://www.drolez.com - Personal site - Linux and PalmOS stuff
Message sent on to Sven Dreyer <sven@dreyer-net.de>:
Bug#337830.
(full text, mbox, link).
Information stored: Bug#337830; Package kphone.
(full text, mbox, link).
Acknowledgement sent to Sven Dreyer <sven@dreyer-net.de>:
Extra info received and filed, but not forwarded.
(full text, mbox, link).
To: Ludovic Drolez <ldrolez@debian.org>, 337830-quiet@bugs.debian.org
Subject: Re: Bug#337830: Security problem in kphone
Date: Sat, 04 Feb 2006 10:49:09 +0100
Hi Ludovic,
Ludovic Drolez schrieb:
> I cannot reproduce your bug. With my settings kphonerc is created with 664
> rights, since my umask is set to 002.
>
> I think that you have your umask set to 000. Which value returns 'umask ?'
test@sven-desktop:~$ umask
0022
test@sven-desktop:~$ ls -l .qt/kphonerc
-rw-r--r-- 1 test test 130 2006-02-04 09:57 .qt/kphonerc
test@sven-desktop:~$
But that is the problem: kphonerc is world-_readable_ and it contains
the username and password in clear text.
Umask value should not be applied in this case, the permissions on
kphonerc should always be 0600 since this file contains sensitive data.
Regards,
Sven
Information forwarded to debian-bugs-dist@lists.debian.org, Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>: Bug#337830; Package kphone.
(full text, mbox, link).
Acknowledgement sent to Ludovic Drolez <ldrolez@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>.
(full text, mbox, link).
Sven Dreyer wrote:
> Hi Ludovic,
>
> Ludovic Drolez schrieb:
>
>>I cannot reproduce your bug. With my settings kphonerc is created with 664
>>rights, since my umask is set to 002.
>>
>>I think that you have your umask set to 000. Which value returns 'umask ?'
>
>
> test@sven-desktop:~$ umask
> 0022
> test@sven-desktop:~$ ls -l .qt/kphonerc
> -rw-r--r-- 1 test test 130 2006-02-04 09:57 .qt/kphonerc
> test@sven-desktop:~$
>
> But that is the problem: kphonerc is world-_readable_ and it contains
> the username and password in clear text.
>
> Umask value should not be applied in this case, the permissions on
> kphonerc should always be 0600 since this file contains sensitive data.
>
Ok. I've added 'umask(077)' in kphone.cpp, near the start of
KPhone::KPhone(), and it does the trick.
Klaus, since I'm not a Qt expert, should I use the unix umask or is there a
Qt equivalent ?
Regards,
--
Ludovic Drolez.
http://www.palmopensource.com - The PalmOS Open Source Portal
http://www.drolez.com - Personal site - Linux and PalmOS stuff
Source: kphone
Source-Version: 1:4.2-6
We believe that the bug you reported is fixed in the latest version of
kphone, which is due to be installed in the Debian FTP archive:
kphone_4.2-6.diff.gz
to pool/main/k/kphone/kphone_4.2-6.diff.gz
kphone_4.2-6.dsc
to pool/main/k/kphone/kphone_4.2-6.dsc
kphone_4.2-6_i386.deb
to pool/main/k/kphone/kphone_4.2-6_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 337830@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mark Purcell <msp@debian.org> (supplier of updated kphone package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 17 Apr 2006 12:17:45 +0100
Source: kphone
Binary: kphone
Architecture: source i386
Version: 1:4.2-6
Distribution: unstable
Urgency: low
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Mark Purcell <msp@debian.org>
Description:
kphone - Voice over IP (VoIP) phone application
Closes: 337830357959361492
Changes:
kphone (1:4.2-6) unstable; urgency=low
.
[ Kilian Krause ]
* Add fix to compile with gcc4.1. (Closes: #357959)
* Lower build-depends on libqt3-mt-dev to ease backports to Sarge.
.
[ Mark Purcell ]
* Remove dpatch Build-Depends
* Update Build-Depends
- FTBFS on kfreebsd-amd64: unsatisfied Build-Depends (Closes: #361492)
* Add debian/patches/umask.diff
- Security problem in kphone (Closes: #337830)
Files:
c1a1080084887cefac3b6755fa8c90c1 888 kde optional kphone_4.2-6.dsc
cb73fc220ff9e1e6030838279c6e085d 5341 kde optional kphone_4.2-6.diff.gz
2d8b7d2df27ed76aef8a96a26d9c490a 422218 kde optional kphone_4.2-6_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEQ4vtoCzanz0IthIRApCEAJ9LFs6uIZ4CEBgVcmUh7lf9ggW7FwCfZP3Y
gcXQ8YI98RyITdBfcYsTilI=
=p/+b
-----END PGP SIGNATURE-----
Changed Bug title.
Request was from Filipus Klutiero <chealer@vif.com>
to control@bugs.debian.org.
(full text, mbox, link).
Bug marked as not found in version 4.2-3.
Request was from Filipus Klutiero <chealer@vif.com>
to control@bugs.debian.org.
(full text, mbox, link).
Bug marked as found in version 1:4.2-3.
Request was from Filipus Klutiero <chealer@vif.com>
to control@bugs.debian.org.
(full text, mbox, link).
Bug marked as found in version 1:4.1.0-2.
Request was from Filipus Klutiero <chealer@vif.com>
to control@bugs.debian.org.
(full text, mbox, link).
Bug marked as fixed in version 1:4.1.0-2sarge1, send any further explanations to Sven Dreyer <sven@dreyer-net.de>
Request was from Filipus Klutiero <chealer@vif.com>
to control@bugs.debian.org.
(full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 25 Jun 2007 02:07:16 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.