Package: kvpnc Version: 0.8.6.1-1 Severity: normal Tags: security --- Please enter the report below this line. --- When using kvpnc with pptp you have the option *not* to store the password and username. But even when you chose this option, kvpnc stores the username in /etc/ppp/peers/kvpnc.foo and the password in /etc/ppp/chap-secrets
Although the chap-secrets is just readable by root/root, the passwords are stored in cleartext in this file so pretending to not storing the passwords but storing them behind the back of the user is a security concern. If you want to reporduce this bug, please keep in mind that the passwords are stored in chap-secrets after you tried to connect. So you must connect before the passwords are stored. I leave it to you to adjust the severity of this bug. Cheers, Bastian --- System information. --- Architecture: i386 Kernel: Linux 2.6.18-4-686 Debian Release: 4.0 500 unstable www.debian-multimedia.org 500 unstable ftp.de.debian.org 1 experimental ftp.de.debian.org --- Package information. --- Depends (Version) | Installed =====================================-+-================ kdelibs4c2a (>= 4:3.5.4-1) | 4:3.5.5a.dfsg.1-6 libc6 (>= 2.3.6-6) | 2.3.6.ds1-13 libgcc1 (>= 1:4.1.1-12) | 1:4.1.1-21 libgcrypt11 (>= 1.2.2) | 1.2.3-2 libice6 (>= 1:1.0.0) | 1:1.0.1-2 libpng12-0 (>= 1.2.8rel) | 1.2.15~beta5-1 libqt3-mt (>= 3:3.3.6) | 3:3.3.7-3 libsm6 | 1:1.0.1-3 libstdc++6 (>= 4.1.1-12) | 4.1.1-21 libx11-6 | 2:1.0.3-6 libxext6 | 1:1.0.1-2 zlib1g (>= 1:1.2.1) | 1:1.2.3-13 menu | 2.1.33 net-tools | 1.60-17 psmisc | 22.3-1 kdebase-bin | 4:3.5.5a.dfsg.1-6 OR gksu | OR sux | module-init-tools | 3.3-pre4-2 OR modutils | -- Bastian Venthur http://venthur.de Debian Developer venthur at debian org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]