[Secure-testing-team] Bug#637439: qtnx: stores keys world readable
Christoph Anton Mitterer
calestyo at scientia.net
Thu Aug 11 13:03:20 UTC 2011
Package: qtnx
Version: 0.9-3
Severity: grave
Tags: security
Justification: user security hole
Hi.
It seems that qtnx stores any non-custom ssh keys world-readable:
$ ls -al ~/.qtnx/
total 12
drwxr-xr-x 2 user user 4096 Aug 11 15:01 .
drwx------ 51 user user 4096 Aug 11 15:01 ..
-rw-r--r-- 1 user user 1932 Aug 11 14:59 session.nxml
The file contains the key.
Cheers,
Chris.
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.0.0-heisenberg (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_DE.utf8, LC_CTYPE=en_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages qtnx depends on:
ii libc6 2.13-16 Embedded GNU C Library: Shared lib
ii libgcc1 1:4.6.1-6 GCC support library
pn libnxcl1 <none> (no description available)
ii libqt4-gui 4:4.7.3-7 transitional package for Qt 4 GUI
ii libqt4-xml 4:4.7.3-7 Qt 4 XML module
ii libqtcore4 4:4.7.3-7 Qt 4 core module
ii libstdc++6 4.6.1-6 GNU Standard C++ Library v3
qtnx recommends no packages.
qtnx suggests no packages.
More information about the Secure-testing-team
mailing list