Bug#285126: marked as done (CAN-2004-1171: plain text password exposure)

To: Steve Langasek <vorlon@debian.org>
Cc: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Subject: Bug#285126: marked as done (CAN-2004-1171: plain text password exposure)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Mon, 03 Jan 2005 22:03:28 -0800
Message-id: <[🔎] handler.285126.D285126.110481837810394.ackdone@bugs.debian.org>
In-reply-to: <20050104055934.GF17970@mauritius.dodds.net>
References: <20050104055934.GF17970@mauritius.dodds.net> <20041210194515.GA13705@kitenet.net>

Your message dated Mon, 3 Jan 2005 21:59:38 -0800
with message-id <20050104055934.GF17970@mauritius.dodds.net>
and subject line KDE 3.3.1 in sarge, closes many RC bugs
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 10 Dec 2004 19:43:45 +0000
>From joey@kitenet.net Fri Dec 10 11:43:45 2004
Return-path: <joey@kitenet.net>
Received: from kitenet.net [64.62.161.42] (postfix)
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1Ccqg5-0002M2-00; Fri, 10 Dec 2004 11:43:45 -0800
Received: from dragon.kitenet.net (unknown [66.168.94.144])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client CN "Joey Hess", Issuer "Joey Hess" (verified OK))
	by kitenet.net (Postfix) with ESMTP id 67BDE17E18
	for <submit@bugs.debian.org>; Fri, 10 Dec 2004 19:43:45 +0000 (GMT)
Received: by dragon.kitenet.net (Postfix, from userid 1000)
	id 72F2C6E08E; Fri, 10 Dec 2004 14:45:15 -0500 (EST)
Date: Fri, 10 Dec 2004 14:45:15 -0500
From: Joey Hess <joeyh@debian.org>
To: submit@bugs.debian.org
Subject: CAN-2004-1171: plain text password exposure
Message-ID: <20041210194515.GA13705@kitenet.net>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="zYM0uCDKw75PZbzx"
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 


--zYM0uCDKw75PZbzx
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: kdelibs, kdebase
Version: 3.3.2
Tags: security, patch
Severity: serious

CAN-2004-1171 is about a security hole in KDE that allows for possible
passoword leakage:

  KDE 3.2.x and 3.3.0 through 3.3.2, when saving credentials that are (1)
  manually entered by the user or (2) created by the SMB protocol handler, =
stores
  those credentials for in plaintext in the user's .desktop file, which may=
 be
  created with world-readable permissions, which could allow local users to
  obtain usernames and passwords for remote resources such as SMB shares.

Note that this will need to be fixed in both the version in unstable
and the older version in testing via t-p-u. This page has details of the
hole and links to patches for all recent versions of KDE:

http://marc.theaimsgroup.com/?l=3Dbugtraq&m=3D110261063201488&w=3D2

--=20
see shy jo

--zYM0uCDKw75PZbzx
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBufzKd8HHehbQuO8RAsdTAKDBGhtjlJgCmuToYgD+VvEgyGqaHACgupI0
tHTYFM4JJq9i7f6z2g39Jpc=
=usXq
-----END PGP SIGNATURE-----

--zYM0uCDKw75PZbzx--

---------------------------------------
Received: (at 285126-done) by bugs.debian.org; 4 Jan 2005 05:59:38 +0000
>From vorlon@debian.org Mon Jan 03 21:59:38 2005
Return-path: <vorlon@debian.org>
Received: from dsl093-039-086.pdx1.dsl.speakeasy.net (localhost.localdomain) [66.93.39.86] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1ClhjG-0002gy-00; Mon, 03 Jan 2005 21:59:38 -0800
Received: by localhost.localdomain (Postfix, from userid 1000)
	id C24BD1720C5; Mon,  3 Jan 2005 21:59:38 -0800 (PST)
Date: Mon, 3 Jan 2005 21:59:38 -0800
From: Steve Langasek <vorlon@debian.org>
To: 282352-done@bugs.debian.org, 285126-done@bugs.debian.org,
	271256-done@bugs.debian.org, 286510-done@bugs.debian.org,
	282364-done@bugs.debian.org, 282232-done@bugs.debian.org,
	280373-done@bugs.debian.org, 252670-done@bugs.debian.org,
	278173-done@bugs.debian.org, 287080-done@bugs.debian.org,
	253701-done@bugs.debian.org, 247243-done@bugs.debian.org,
	282257-done@bugs.debian.org
Cc: debian-release@lists.debian.org
Subject: KDE 3.3.1 in sarge, closes many RC bugs
Message-ID: <20050104055934.GF17970@mauritius.dodds.net>
Mail-Followup-To: 282352-done@bugs.debian.org,
	285126-done@bugs.debian.org, 271256-done@bugs.debian.org,
	286510-done@bugs.debian.org, 282364-done@bugs.debian.org,
	282232-done@bugs.debian.org, 280373-done@bugs.debian.org,
	252670-done@bugs.debian.org, 278173-done@bugs.debian.org,
	287080-done@bugs.debian.org, 253701-done@bugs.debian.org,
	247243-done@bugs.debian.org, 282257-done@bugs.debian.org,
	debian-release@lists.debian.org
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="m1UC1K4AOz1Ywdkx"
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: 285126-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-5.0 required=4.0 tests=BAYES_00,VALID_BTS_CONTROL 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 
X-CrossAssassin-Score: 12


--m1UC1K4AOz1Ywdkx
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

tags 285126 -sarge
tags 271256 -sarge
tags 285126 -sarge
tags 252670 -sarge
tags 278173 +sid
tags 253701 -sarge
tags 247243 -sarge
thanks

KDE 3.3 has been accepted into testing and should be visible from the
mirrors starting tomorrow.  I believe all of these RC bugs can therefore be
closed.

Many thanks to the KDE team for their efforts in making this happen, and to
Anthony Towns for handholding britney through the transition.

--=20
Steve Langasek
postmodern programmer

--m1UC1K4AOz1Ywdkx
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFB2jDGKN6ufymYLloRAvK1AKCt069o1WpYMZLD2v/FBkFDeD+9HQCfclW7
9IlwTEOC5hGQTBoHmwTUHYQ=
=GV3v
-----END PGP SIGNATURE-----

--m1UC1K4AOz1Ywdkx--

Reply to:

Prev by Date: Bug#286510: marked as done (kdelibs: CAN-2004-1158: Konqueror Window Injection Vulnerability)
Next by Date: Bug#282232: marked as done (kdenetwork: Builds depends on libtiff3g-dev in sarge.)
Previous by thread: Bug#286510: marked as done (kdelibs: CAN-2004-1158: Konqueror Window Injection Vulnerability)
Next by thread: Bug#282232: marked as done (kdenetwork: Builds depends on libtiff3g-dev in sarge.)
Index(es):
- Date
- Thread