Package: rhythmbox-plugins Version: 2.95-1 Severity: normal Tags: patch Dear Maintainer,
Since the Last.fm session file[0] includes a session key for API usage, it would probably make sense to create it mode 0640 instead of 0644. Even though the API doesn't AFAIK provide access to sensitive information (thus severity:normal), it can still be misused. The attached patch should be all that's needed. [0] ~/.local/share/rhythmbox/audioscrobbler/sessions -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (990, 'unstable'), (500, 'testing'), (150, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-1-amd64 (SMP w/1 CPU core) Locale: LANG=en_GB.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages rhythmbox-plugins depends on: ii gir1.2-gconf-2.0 3.2.3-3 ii gir1.2-glib-2.0 1.31.20-1 ii gir1.2-gtk-3.0 3.2.3-1 ii gir1.2-peas-1.0 1.2.0-1 ii gir1.2-rb-3.0 2.95-1 ii gir1.2-webkit-3.0 1.6.3-2 ii libatk1.0-0 2.2.0-2 ii libc6 2.13-27 ii libcairo-gobject2 1.10.2-7 ii libcairo2 1.10.2-7 ii libclutter-1.0-0 1.8.4-1 ii libclutter-gst-1.0-0 1.4.6-1 ii libclutter-gtk-1.0-0 1.0.4-1 ii libcogl-pango0 1.8.2-1 ii libcogl5 1.8.2-1 ii libdmapsharing-3.0-2 2.9.14-1 ii libdrm2 2.4.30-1 ii libffi5 3.0.10-3 ii libfontconfig1 2.8.0-3.1 ii libfreetype6 2.4.8-1 ii libgconf2-4 3.2.3-3 ii libgdk-pixbuf2.0-0 2.24.1-1 ii libgirepository-1.0-1 1.31.20-1 ii libgl1-mesa-glx [libgl1] 7.11.2-1 ii libglib2.0-0 2.30.2-6 ii libgnome-keyring0 3.2.2-2 ii libgpod4 0.8.2-6 ii libgrilo-0.1-0 0.1.18-1 ii libgstreamer-plugins-base0.10-0 0.10.36-1 ii libgstreamer0.10-0 0.10.36-1 ii libgtk-3-0 3.2.3-1 ii libgudev-1.0-0 175-3.1 ii libimobiledevice2 1.1.1-3 ii libjson-glib-1.0-0 0.14.2-1 ii liblircclient0 0.9.0~pre1-1 ii libmtp9 1.1.2-2 ii libmusicbrainz3-6 3.0.2-2 ii libmx-1.0-2 1.4.2-1 ii libnotify4 0.7.4-1 ii libpango1.0-0 1.29.4-3 ii libpeas-1.0-0 1.2.0-1 ii librhythmbox-core5 2.95-1 ii libsoup-gnome2.4-1 2.36.1-1 ii libsoup2.4-1 2.36.1-1 ii libtdb1 1.2.9+git20120207-1 ii libtotem-plparser17 2.32.6-3 ii libusb-0.1-4 2:0.1.12-20 ii libx11-6 2:1.4.4-4 ii libxcomposite1 1:0.4.3-2 ii libxdamage1 1:1.1.3-2 ii libxext6 2:1.3.0-3 ii libxfixes3 1:5.0-4 ii libxi6 2:1.4.5-1 ii libxml2 2.7.8.dfsg-7 ii python 2.7.2-10 ii python-gnomekeyring 2.32.0+dfsg-1 ii python-mako 0.6.2-1 ii python2.7 2.7.3~rc1-1 ii rhythmbox 2.95-1 ii zeitgeist-core 0.8.2-1 ii zlib1g 1:1.2.6.dfsg-2 Versions of packages rhythmbox-plugins recommends: ii nautilus-sendto 3.0.1-2 rhythmbox-plugins suggests no packages. -- no debconf information
From: Leo 'costela' Antunes <[email protected]> Subject: scrobbler: should probably create session file with mode 0640 Since the Last.fm session file includes a session key for API usage, it would probably make sense to create it mode 0640 instead of 0644. Index: rhythmbox-2.95/plugins/audioscrobbler/rb-audioscrobbler-account.c =================================================================== --- rhythmbox-2.95.orig/plugins/audioscrobbler/rb-audioscrobbler-account.c 2012-01-10 12:46:03.000000000 +0100 +++ rhythmbox-2.95/plugins/audioscrobbler/rb-audioscrobbler-account.c 2012-03-10 15:05:37.454014561 +0100 @@ -408,7 +408,7 @@ g_free (file_path); error = NULL; - g_file_replace_contents (out_file, data, data_length, NULL, FALSE, G_FILE_CREATE_NONE, NULL, NULL, &error); + g_file_replace_contents (out_file, data, data_length, NULL, FALSE, G_FILE_CREATE_PRIVATE, NULL, NULL, &error); if (error != NULL) { rb_debug ("error saving session: %s", error->message); g_error_free (error);
