[Secure-testing-team] Bug#589288: kupfer: Missing dependency on python-keyring-gnome

Mihai Capotă mihai at mihaic.ro
Fri Jul 16 12:55:22 UTC 2010 

Package: kupfer
Version: 0+v201-0ubuntu0~kupferhope
Severity: grave
Tags: security
Justification: user security hole


Kupfer stores passwords in base64 encoding unless python-keyring-gnome is installed. This is despite the use of python-keyring, since the default AES encrypted backend of python-keyring is disabled on purpose in Kupfer (because it prompts for a password on first run) [1]. 

If python-keyring-gnome is installed, python-keyring uses GNOME Keyring automatically. Kupfer should depend on (or recommend) python-keyring-gnome (or python-keyring-kwallet). 

[1] https://bugs.launchpad.net/kupfer/+bug/593319/comments/7

-- System Information:
Debian Release: squeeze/sid
  APT prefers lucid-updates
  APT policy: (500, 'lucid-updates'), (500, 'lucid-security'), (500, 'lucid')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-23-generic (SMP w/2 CPU cores)
Locale: LANG=ro_RO.utf8, LC_CTYPE=ro_RO.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages kupfer depends on:
ii  dbus           1.2.16-2ubuntu4           simple interprocess messaging syst
ii  python-dbus    0.83.0-1ubuntu3           simple interprocess messaging syst
ii  python-gobject 2.21.1-0ubuntu3           Python bindings for the GObject li
ii  python-gtk2    2.17.0-0ubuntu2           Python bindings for the GTK+ widge
ii  python-keybind 0.1.1-0ubuntu0~kupferhope register global key bindings for P
ii  python-keyring 0.2-3                     store and access your passwords sa
ii  python-support 1.0.4ubuntu1              automated rebuilding support for P
ii  python-xdg     0.18-1ubuntu2             Python library to access freedeskt
ii  python2.6      2.6.5-1ubuntu6            An interactive high-level object-o

Versions of packages kupfer recommends:
ii  python-gnome2            2.28.0-1ubuntu1 Python bindings for the GNOME desk
ii  python-wnck              2.30.0-0ubuntu1 Python bindings for the WNCK libra

Versions of packages kupfer suggests:
pn  python-cjson                  <none>     (no description available)
pn  python-nautilus               <none>     (no description available)

-- no debconf information

More information about the Secure-testing-team mailing list