Comment 2 for bug 11114

Message-ID: <email address hidden>
Date: Fri, 10 Dec 2004 14:45:15 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Subject: CAN-2004-1171: plain text password exposure

--zYM0uCDKw75PZbzx
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: kdelibs, kdebase
Version: 3.3.2
Tags: security, patch
Severity: serious

CAN-2004-1171 is about a security hole in KDE that allows for possible
passoword leakage:

  KDE 3.2.x and 3.3.0 through 3.3.2, when saving credentials that are (1)
  manually entered by the user or (2) created by the SMB protocol handler, =
stores
  those credentials for in plaintext in the user's .desktop file, which may=
 be
  created with world-readable permissions, which could allow local users to
  obtain usernames and passwords for remote resources such as SMB shares.

Note that this will need to be fixed in both the version in unstable
and the older version in testing via t-p-u. This page has details of the
hole and links to patches for all recent versions of KDE:

http://marc.theaimsgroup.com/?l=3Dbugtraq&m=3D110261063201488&w=3D2

--=20
see shy jo

--zYM0uCDKw75PZbzx
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBufzKd8HHehbQuO8RAsdTAKDBGhtjlJgCmuToYgD+VvEgyGqaHACgupI0
tHTYFM4JJq9i7f6z2g39Jpc=
=usXq
-----END PGP SIGNATURE-----

--zYM0uCDKw75PZbzx--