CAN-2004-1171 is about a security hole in KDE that allows for possible
passoword leakage:
KDE 3.2.x and 3.3.0 through 3.3.2, when saving credentials that are (1)
manually entered by the user or (2) created by the SMB protocol handler, =
stores
those credentials for in plaintext in the user's .desktop file, which may=
be
created with world-readable permissions, which could allow local users to
obtain usernames and passwords for remote resources such as SMB shares.
Note that this will need to be fixed in both the version in unstable
and the older version in testing via t-p-u. This page has details of the
hole and links to patches for all recent versions of KDE:
Message-ID: <email address hidden>
Date: Fri, 10 Dec 2004 14:45:15 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Subject: CAN-2004-1171: plain text password exposure
--zYM0uCDKw75PZbzx Disposition: inline Transfer- Encoding: quoted-printable
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Package: kdelibs, kdebase
Version: 3.3.2
Tags: security, patch
Severity: serious
CAN-2004-1171 is about a security hole in KDE that allows for possible
passoword leakage:
KDE 3.2.x and 3.3.0 through 3.3.2, when saving credentials that are (1)
manually entered by the user or (2) created by the SMB protocol handler, =
stores
those credentials for in plaintext in the user's .desktop file, which may=
be
created with world-readable permissions, which could allow local users to
obtain usernames and passwords for remote resources such as SMB shares.
Note that this will need to be fixed in both the version in unstable
and the older version in testing via t-p-u. This page has details of the
hole and links to patches for all recent versions of KDE:
http:// marc.theaimsgro up.com/ ?l=3Dbugtraq& m=3D11026106320 1488&w= 3D2
--=20
see shy jo
--zYM0uCDKw75PZbzx pgp-signature; name="signature .asc" Description: Digital signature Disposition: inline
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
HehbQuO8RAsdTAK DBGhtjlJgCmuToY gD+VvEgyGqaHACg upI0 z2g39Jpc=
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBufzKd8H
tHTYFM4JJq9i7f6
=usXq
-----END PGP SIGNATURE-----
--zYM0uCDKw75PZ bzx--