Package: xbmc Version: 2:13.0+dfsg1-1 Severity: grave Tags: security X-Debbugs-CC: secure-testing-t...@lists.alioth.debian.org
Hi, I just add a webdav source in xbmc, so it asks for a username and password. But these informations are then stored in a plain XML file: ~/.xbmc/userdata/sources.xml, moreover a world readable file: adrien ~/ $ ls -l .xbmc/userdata/sources.xml -rw-r--r-- 1 adrien adrien 1006 mai 8 16:34 .xbmc/userdata/sources.xml This file should be at least chmod 700 and the users should be informed that the password will be stored in a unsafe manner. Regards, Adrien --- System information. --- Architecture: amd64 Kernel: Linux 3.13-1-amd64 Debian Release: jessie/sid 900 testing security.debian.org 900 testing ftp.fr.debian.org 800 unstable ftp.fr.debian.org 700 experimental ftp.fr.debian.org --- Package information. --- Depends (Version) | Installed ============================================-+-======================= xbmc-bin (>= 2:13.0+dfsg1-1) | 2:13.0+dfsg1-1 xbmc-bin (<< 2:13.0+dfsg1-1.1~) | 2:13.0+dfsg1-1 mesa-utils | 8.1.0-2+b1 x11-utils | 7.7+1 fonts-dejavu-core | 2.34-1 OR ttf-dejavu-core | 2.34-1 fonts-roboto | 1:4.3-3 libjs-jquery | 1.7.2+dfsg-3 libjs-iscroll | 5.1.1+dfsg1-1 python-imaging | 2.3.0-2 python:any (>= 2.7.5-5~) | Package's Recommends field is empty. Package's Suggests field is empty.
signature.asc
Description: This is a digitally signed message part.
