Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 166801 - net-misc/vpnc - world-readable credentials
Summary: net-misc/vpnc - world-readable credentials
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Default Configs (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [noglsa] Falco
Keywords:
Depends on:
Blocks: 158271
  Show dependency tree
 
Reported: 2007-02-14 09:51 UTC by Jakub Moc (RETIRED)
Modified: 2007-03-13 23:03 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jakub Moc (RETIRED) gentoo-dev 2007-02-14 09:51:45 UTC 
Opfer noticed that vpnc.conf is installed with 0644 permissions, it definitely should not as it contains sensitive data.

# cat vpnc.conf 
IPSec gateway 131.246.118.240
IPSec ID unikl
IPSec secret unikl
Xauth username abcdef
Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-14 09:58:29 UTC 
Indeed
Comment 2 Christian Faulhammer (RETIRED) gentoo-dev 2007-02-16 06:58:17 UTC 
hanno has sent a patch upstream, we wait for integration.
Comment 3 Hanno Böck gentoo-dev 2007-02-19 21:36:09 UTC 
Now 0.4.0 is in and I'd like to soon remove all older versions.

Security, do you think this is worth an advisory? It's imho no real security flaw, just bad defaults.
Comment 4 Hanno Böck gentoo-dev 2007-02-21 15:52:10 UTC 
Archs, please mark stable vpnc-0.4.0 so we can get rid of the svn-snapshot ebuilds.
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2007-02-21 16:20:38 UTC 
x86 stable
Comment 6 Markus Rothe (RETIRED) gentoo-dev 2007-02-21 20:53:33 UTC 
ppc64 stable
Comment 7 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-23 17:44:30 UTC 
(In reply to comment #3)

> Security, do you think this is worth an advisory? It's imho no real security
> flaw, just bad defaults.
> 

probably no
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2007-02-27 19:01:01 UTC 
ppc stable
Comment 9 Steve Dibb (RETIRED) gentoo-dev 2007-03-03 14:09:42 UTC 
amd64 stable
Comment 10 Matthias Geerdsen (RETIRED) gentoo-dev 2007-03-06 14:31:00 UTC 
undecided... tend to vote no though

the account used for my uni's vpn is the same as for mail etc, so it might contain pretty sensitive information
Comment 11 Stefan Cornelius (RETIRED) gentoo-dev 2007-03-06 14:35:33 UTC 
yet another no
Comment 12 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-13 23:03:21 UTC 
(In reply to comment #11)
> yet another no
> 

i agree