[Bug 383358] New: Add on Creator sotore gpg passwords in insecure ways.
https://bugzilla.novell.com/show_bug.cgi?id=383358 Summary: Add on Creator sotore gpg passwords in insecure ways. Product: openSUSE 10.3 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: YaST2 AssignedTo: jsuchome@novell.com ReportedBy: pnemec@novell.com QAContact: jsrain@novell.com Found By: --- I have add on project and I am signing it with my gpg key. I was very suprised when I realize that Add ON Creator store password in project file in insecure hash. More than that Add On log password into y2log 2008-04-24 15:36:19 <1> wintermute(9804) [YCP] AddOnCreator.ycp:2320 key C334249B, pws $["HASH":"clear-text-password"] 2008-04-24 15:36:19 <1> wintermute(9804) [agent-system] SystemAgent.cc(Execute):1098 mkdir /home/pavel/Desktop/ptf-repo/output/media.1 2008-04-24 15:36:19 <1> wintermute(9804) [agent-system] SystemAgent.cc(Execute):1098 mkdir /home/pavel/Desktop/ptf-repo/output/media.1 2008-04-24 15:36:19 <1> wintermute(9804) [agent-system] SystemAgent.cc(Execute):1098 mkdir /home/pavel/Desktop/ptf-repo/output/suse 2008-04-24 15:36:19 <1> wintermute(9804) [agent-system] SystemAgent.cc(Execute):1098 mkdir /home/pavel/Desktop/ptf-repo/output/suse/i586 2008-04-24 15:36:19 <1> wintermute(9804) [agent-system] SystemAgent.cc(Execute):1098 mkdir /home/pavel/Desktop/ptf-repo/output/suse/setup/descr 2008-04-24 15:36:25 <3> wintermute(9804) [bash] ShellCommand.cc(shellcommand):78 sh: /usr/bin/mk_listings: Přístup odmítnut 2008-04-24 15:36:25 <2> wintermute(9804) [YCP] AddOnCreator.ycp:1575 mk_listings returns $["exit":126, "stderr":"sh: /usr/bin/mk_listings: Přístup odmítnut\n", "stdout":""] I suggest that creator do not store gpg password at all and ask user to provide password using dialog, or as commandline parametr. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=383358
User jsuchome@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=383358#c1
Jiří Suchomel
I was very suprised when I realize that Add ON Creator store password in project file in insecure hash.
Please attach the project file (you can change the password value of course) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=383358
User pnemec@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=383358#c2
--- Comment #2 from Pavel Nemec
https://bugzilla.novell.com/show_bug.cgi?id=383358
User pnemec@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=383358#c3
Pavel Nemec
https://bugzilla.novell.com/show_bug.cgi?id=383358
User jsuchome@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=383358#c4
--- Comment #4 from Jiří Suchomel
https://bugzilla.novell.com/show_bug.cgi?id=383358
User jsuchome@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=383358#c5
Jiří Suchomel
participants (1)
-
bugzilla_noreply@novell.com