Ubuntu
amule package

amule.conf may contains passwords: should not be world-readable

Bug #493554 reported by Ludwin Janvier
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
amule (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

Binary package hint: amule

How to reproduce :
Install amule pkg, create amule user, add it to /etc/default/amule.
sudo service amule-daemon start

The first launch will create files in ~/.aMule (rwxr-xr-x) - including a amule.conf file, which is created as rw-r--r--
The only way to interact with the amule daemon is to enable remote access and add a password in the "Password" or "ECPAssword" field. Password have to be MD5-encrypted, but it's still a vulnerability. At least this file should be 640.

ProblemType: Bug
Architecture: i386
Date: Mon Dec 7 10:36:31 2009
DistroRelease: Ubuntu 9.10
Package: amule-daemon 2.2.6-0ubuntu1
ProcEnviron:
 LANGUAGE=fr_FR:fr
 PATH=(custom, user)
 LANG=fr_FR.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.31-15.50-generic
SourcePackage: amule
Uname: Linux 2.6.31-15-generic i686
XsessionErrors: (polkit-gnome-authentication-agent-1:11449): GLib-CRITICAL **: g_once_init_leave: assertion `initialization_value != 0' failed

Revision history for this message
Ludwin Janvier (lud-janvier) wrote :
Kees Cook (kees)
Changed in amule (Ubuntu):
status: New → Confirmed
visibility: private → public
Revision history for this message
shankao (shankao) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. We are sorry that we do not always have the capacity to look at all reported bugs in a timely manner. There have been many changes in Ubuntu since that time you reported the bug and your problem may have been fixed with some of the updates. It would help us a lot if you could test it on a currently supported Ubuntu version. When you test it and it is still an issue, kindly upload the updated logs by running apport-collect 493554 and any other logs that are relevant for this particular issue.

Changed in amule (Ubuntu):
status: Confirmed → Incomplete
summary: - amule.conf may contains passwords: should not be world world-readable
+ amule.conf may contains passwords: should not be world-readable
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for amule (Ubuntu) because there has been no activity for 60 days.]

Changed in amule (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.