Bug#394794: gaim: insecure password storage
Package: gaim Version: 1:2.0.0+beta4-1 Severity: normal Application stores passwords insecurely in ~/.gaim/accounts.xml Application should either: 1) Encrypt files containing sensitive data with a passphrase. 2) Use a keychain or wallet service to store passwords if it's available. 3) Not offer option of password storage. -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (700, 'unstable'), (600, 'testing') Architecture: amd64 (x86_64) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-1-amd64 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages gaim depends on: ii gaim-data1:2.0.0+beta4-1 multi-protocol instant messaging c ii libaspell15 0.60.4-4GNU Aspell spell-checker runtime l ii libatk1.0-0 1.12.3-1The ATK accessibility toolkit ii libavahi-compat-howl00.6.14-2Avahi Howl compatibility library ii libc62.3.6.ds1-6 GNU C Library: Shared libraries ii libcairo21.2.4-4 The Cairo 2D vector graphics libra ii libdbus-1-3 0.93-1 simple interprocess messaging syst ii libdbus-glib-1-2 0.71-2 simple interprocess messaging syst ii libfontconfig1 2.4.1-2 generic font configuration library ii libgcrypt11 1.2.3-2 LGPL Crypto library - runtime libr ii libglib2.0-0 2.12.4-1The GLib library of C routines ii libgnutls13 1.4.4-2 the GNU TLS library - runtime libr ii libgstreamer0.10-0 0.10.10-2 Core GStreamer libraries and eleme ii libgtk2.0-0 2.8.20-3The GTK+ graphical user interface ii libgtkspell0 2.0.10-3+b1 a spell-checking addon for GTK's T ii libice6 1:1.0.1-2 X11 Inter-Client Exchange library ii libncursesw5 5.5-5 Shared libraries for terminal hand ii libpango1.0-01.14.7-1Layout and rendering of internatio ii libperl5.8 5.8.8-6.1 Shared Perl library ii libsm6 1:1.0.1-3 X11 Session Management library ii libstartup-notification0 0.8-2 library for program launch feedbac ii libx11-6 2:1.0.3-2 X11 client-side library ii libxcursor1 1.1.7-4 X cursor management library ii libxext6 1:1.0.1-2 X11 miscellaneous extension librar ii libxfixes3 1:4.0.1-4 X11 miscellaneous 'fixes' extensio ii libxi6 1:1.0.1-3 X11 Input extension library ii libxinerama1 1:1.0.1-4.1 X11 Xinerama extension library ii libxml2 2.6.26.dfsg-4 GNOME XML library ii libxrandr2 2:1.1.0.2-4 X11 RandR extension library ii libxrender1 1:0.9.1-3 X Rendering Extension client libra ii libxss1 1:1.1.0-1 X11 Screen Saver extension library gaim recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#394794: gaim: insecure password storage
See http://gaim.sf.net/plaintextpasswords.php luke -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#394794: gaim: insecure password storage
On Mon, 2006-10-23 at 03:07 -0400, Stephanie Erin Daugherty wrote: Package: gaim Version: 1:2.0.0+beta4-1 Severity: normal Application stores passwords insecurely in ~/.gaim/accounts.xml This is addressed in the Gaim FAQ, specifically: http://gaim.sourceforge.net/plaintextpasswords.php Application should either: 1) Encrypt files containing sensitive data with a passphrase. 2) Use a keychain or wallet service to store passwords if it's available. 3) Not offer option of password storage. I personally wouldn't object to having a way to (optionally) store passwords in the GNOME keyring, but this is hardly a bug. Richard signature.asc Description: This is a digitally signed message part
Bug#394794: gaim: insecure password storage
On Mon, Oct 23, 2006 at 07:39:10AM -0500, Richard Laager wrote: On Mon, 2006-10-23 at 03:07 -0400, Stephanie Erin Daugherty wrote: Application should either: 1) Encrypt files containing sensitive data with a passphrase. 2) Use a keychain or wallet service to store passwords if it's available. 3) Not offer option of password storage. I personally wouldn't object to having a way to (optionally) store passwords in the GNOME keyring, but this is hardly a bug. Richard charkins proposed a patch that would add in API so that a plugin could move password storage/retreval to a plugin. This might be the best way to implement such functionality. luke -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]