Package: minigalaxy Version: 1.0.1-1 Severity: grave Tags: security Justification: introduces a security hole allowing access to the accounts of users who use the package
Hi, thanks for packaging minigalaxy. Unfortunately it's unusable as you can't conscientiously login to GOG: On startup it shows a login window which looks suspiciously like a GOG login window in a web browser, but without without any possibility to check its origin: It has no location bar, i.e. shows no URL, it doesn't indicate if the entered credentials are transmitted encrypted via HTTPS or not, and it offers no chance to review the HTTPS TLS certificate if present. Proof that it actually is a browser window: It has "Back, Forward, Reload, etc. in the right click context menu and I see two "WebKit" processes being forked from minigalaxy: abe 24326 2.6 0.1 86076304 113572 pts/16 Sl+ 00:12 0:10 \_ /usr/bin/python3 /usr/games/minigalaxy abe 24799 7.1 0.2 86563632 160396 pts/16 SLl+ 00:12 0:27 \_ /usr/lib/x86_64-linux-gnu/webkit2gtk-4.0/WebKitWebProcess 7 16 abe 24802 0.0 0.0 86442844 59232 pts/16 SLl+ 00:12 0:00 \_ /usr/lib/x86_64-linux-gnu/webkit2gtk-4.0/WebKitNetworkProcess 8 16 Possible solution: Don't use an embedded browser windows but call sensible-browser or so to use the browser which the user is probably already logged in to GOG anyways. Or just show the location bar of the browser window which lets the user have a look at the URL and certificates being used. -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (990, 'unstable'), (600, 'testing'), (500, 'unstable-debug'), (500, 'buildd-unstable'), (110, 'experimental'), (1, 'experimental-debug'), (1, 'buildd-experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.10.0-1-amd64 (SMP w/4 CPU threads) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) LSM: AppArmor: enabled Versions of packages minigalaxy depends on: ii gir1.2-gtk-3.0 3.24.24-1 ii gir1.2-webkit2-4.0 2.30.4-1 ii python3 3.9.1-1 ii python3-gi 3.38.0-1+b2 ii python3-gi-cairo 3.38.0-1+b2 ii python3-requests 2.25.1+dfsg-2 ii unzip 6.0-26 ii xdg-utils 1.1.3-4 minigalaxy recommends no packages. Versions of packages minigalaxy suggests: ii dosbox 0.74-3-2 ii scummvm 2.2.0+dfsg1-4 pn wine32 | wine32-development | wine-stable-i386 | wine-devel- <none> -- no debconf information