password stored in plaintext in $HOME/.config/pithos.ini

Bug #733307 reported by Ian on 2011-03-11
270
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Pithos
Fix Released
Low
Luke Faraone
pithos (Ubuntu)
High
Luke Faraone

Bug Description

The configuration file which stores authentication for Pandora is world readable. This allows other local users to read a user's authentication credentials.

Related branches

CVE References

Kevin Mehall (kevin-mehall) wrote :

MD5 is not an option since we need to send the plaintext password to Pandora. A slightly more ideal solution would be to use gnome-keyring, but I'd like to avoid a hard gnome dependency and most users store their gnome keyrings unencrypted anyway.

`chmod 600 .config/pithos.ini` would probably be a reasonable thing for Pithos, to do automatically, however

Kevin Mehall (kevin-mehall) wrote :

Also, the password is sent over the wire encrypted with a publicly-known (i.e. in the Pandora .swf and Pithos source) blowfish key.

visibility: private → public
Changed in pithos:
status: New → Triaged
importance: Undecided → Low
Luke Faraone (lfaraone) wrote :

Perhaps we should add a little notice indicating that Pithos does not store passwords securely, nor can it transmit them as such because of the aforementioned reasons.

We could also use python-keyring <http://pypi.python.org/pypi/keyring>, which is packaged in the repositories and abstracts away keyring access on GNOME, KDE, OSX. This way, the passwords are stored in a central location, which users can choose to protect if they so desire.

Luke Faraone (lfaraone) on 2011-04-08
visibility: public → private
Changed in pithos (Ubuntu):
importance: Undecided → High
Luke Faraone (lfaraone) on 2011-04-08
visibility: private → public
description: updated
Luke Faraone (lfaraone) on 2011-04-08
Changed in pithos (Ubuntu):
status: New → In Progress
assignee: nobody → Luke Faraone (lfaraone)
Reed Loden (reed) wrote :

Is it not possible to send the login information over SSL?

Luke Faraone (lfaraone) wrote :

Not as far as we're aware; the main login method used by the Pandora web client sends the password symmetrically encrypted.

We'll look into possibly logging in via SSL and transferring from an HTTP cookie to a LSO, but the protocol's use of blowfish means that the authentication token (be it password or cookie) can be sniffed regardless.

Changed in pithos:
status: Triaged → Fix Committed
assignee: nobody → Luke Faraone (lfaraone)
Changed in pithos:
status: Fix Committed → Fix Released
Reed Loden (reed) wrote :

Why even offer the 'unsafe_permissions' option at all? Do you actually know of a specific case where a user would need different permissions on the file? Seems like it would be unwise to add configuration options "just because".

Luke Faraone (lfaraone) on 2011-04-13
Changed in pithos (Ubuntu):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pithos - 0.3.8-1

---------------
pithos (0.3.8-1) unstable; urgency=high

  * New upstream bugfix release.
  * SECURITY UPDATE: Pandora password leak to local users. (LP: #733307)
    - pithos/PreferencesPithosDialog.py: correct mode on pithos.ini on next
      run of pithos
    - bin/pithos: run permissions fixer, resave pithos.ini if fix applied
    - CVE-2011-1500
  * Drop 0001_cell_background_fix.patch and
    0002_long_song_format_fix_lp734962.patch, integrated upstream.

pithos (0.3.7-3) unstable; urgency=low

  * Correctly handle hour-long songs. (LP: #734962)
  * Switch to dh_python2. (closes: #616939)
  * Bump standards version, no changes needed.
 -- Luke Faraone <email address hidden> Wed, 13 Apr 2011 14:22:05 +0000

Changed in pithos (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers