Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 166801

Summary: net-misc/vpnc - world-readable credentials
Product: Gentoo Security Reporter: Jakub Moc (RETIRED) <jakub>
Component: Default ConfigsAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: fauli, hanno
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [noglsa] Falco
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 158271    

Description Jakub Moc (RETIRED) gentoo-dev 2007-02-14 09:51:45 UTC 
Opfer noticed that vpnc.conf is installed with 0644 permissions, it definitely should not as it contains sensitive data.

# cat vpnc.conf 
IPSec gateway 131.246.118.240
IPSec ID unikl
IPSec secret unikl
Xauth username abcdef
Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-14 09:58:29 UTC 
Indeed
Comment 2 Christian Faulhammer (RETIRED) gentoo-dev 2007-02-16 06:58:17 UTC 
hanno has sent a patch upstream, we wait for integration.
Comment 3 Hanno Böck gentoo-dev 2007-02-19 21:36:09 UTC 
Now 0.4.0 is in and I'd like to soon remove all older versions.

Security, do you think this is worth an advisory? It's imho no real security flaw, just bad defaults.
Comment 4 Hanno Böck gentoo-dev 2007-02-21 15:52:10 UTC 
Archs, please mark stable vpnc-0.4.0 so we can get rid of the svn-snapshot ebuilds.
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2007-02-21 16:20:38 UTC 
x86 stable
Comment 6 Markus Rothe (RETIRED) gentoo-dev 2007-02-21 20:53:33 UTC 
ppc64 stable
Comment 7 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-23 17:44:30 UTC 
(In reply to comment #3)

> Security, do you think this is worth an advisory? It's imho no real security
> flaw, just bad defaults.
> 

probably no
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2007-02-27 19:01:01 UTC 
ppc stable
Comment 9 Steve Dibb (RETIRED) gentoo-dev 2007-03-03 14:09:42 UTC 
amd64 stable
Comment 10 Matthias Geerdsen (RETIRED) gentoo-dev 2007-03-06 14:31:00 UTC 
undecided... tend to vote no though

the account used for my uni's vpn is the same as for mail etc, so it might contain pretty sensitive information
Comment 11 Stefan Cornelius (RETIRED) gentoo-dev 2007-03-06 14:35:33 UTC 
yet another no
Comment 12 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-13 23:03:21 UTC 
(In reply to comment #11)
> yet another no
> 

i agree