Bug#182456: digitaldj: ~/.ddj is world-readable
Package: digitaldj
Version: 0.6-7.1
Severity: important
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
When a user runs ddj and sets (among other things) a username/password
for database access, that information is stored in ~/.ddj, which is
saved as mode 0644 (i.e. world/group readable). Mode 066
(readable/writeable only by owner) would be preferable; effects of
this file being world-readable range from an attacker changing or
deleting data from the database, to full database access (if the user
is silly enough to use the same password for other things).
Another, more minor, problem appears when ddj is started for the first
time: it suggests that the default mysql root password is blank. While
this is true, it might be a good idea to suggest putting in a real
password if it is.
.....Ron Murray
- -- System Information
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux khufu 2.4.19-xfs-khufu-6 #1 Tue Feb 18 20:31:57 EST 2003 i686
Locale: LANG=en_US, LC_CTYPE=en_US
Versions of packages digitaldj depends on:
ii amp 0.7.6-7 The Audio MPEG Player
ii libc6 2.2.5-14.3 GNU C Library: Shared libraries an
ii libglib1.2 1.2.10-6 The GLib library of C routines
ii libgtk1.2 1.2.10-14 The GIMP Toolkit set of widgets fo
ii libmysqlclient10 3.23.54a-1 mysql database client library
ii mpg123 0.59r-13 MPEG layer 1/2/3 audio player
ii mpg123-nas [mpg123] 0.59r-13 MPEG layer 1/2/3 audio player with
ii mpg321 [mpg123] 0.2.10.1 A Free command-line mp3 player, co
ii xlibs 4.2.1-3 X Window System client libraries
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)
iD8DBQE+W5/pitqjxNhsdN4RAk4xAJ9KMPgtbsF4CsNlrviqdLMpobFkmQCcDaU4
2j8Kq2VsYmOB4sQfpEiZ2wc=
=cqZC
-----END PGP SIGNATURE-----
Reply to: