password stored in plaintext in $HOME/.config/pithos.ini

Bug #733307 reported by Ian
270
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Pithos
Fix Released
Low
Luke Faraone
pithos (Ubuntu)
Fix Released
High
Luke Faraone

Bug Description

The configuration file which stores authentication for Pandora is world readable. This allows other local users to read a user's authentication credentials.

Related branches

CVE References

Revision history for this message
Kevin Mehall (kevin-mehall) wrote :

MD5 is not an option since we need to send the plaintext password to Pandora. A slightly more ideal solution would be to use gnome-keyring, but I'd like to avoid a hard gnome dependency and most users store their gnome keyrings unencrypted anyway.

`chmod 600 .config/pithos.ini` would probably be a reasonable thing for Pithos, to do automatically, however

Revision history for this message
Kevin Mehall (kevin-mehall) wrote :

Also, the password is sent over the wire encrypted with a publicly-known (i.e. in the Pandora .swf and Pithos source) blowfish key.

visibility: private → public
Changed in pithos:
status: New → Triaged
importance: Undecided → Low
Revision history for this message
Luke Faraone (lfaraone) wrote :

Perhaps we should add a little notice indicating that Pithos does not store passwords securely, nor can it transmit them as such because of the aforementioned reasons.

We could also use python-keyring <http://pypi.python.org/pypi/keyring>, which is packaged in the repositories and abstracts away keyring access on GNOME, KDE, OSX. This way, the passwords are stored in a central location, which users can choose to protect if they so desire.

Luke Faraone (lfaraone)
visibility: public → private
Changed in pithos (Ubuntu):
importance: Undecided → High
Luke Faraone (lfaraone)
visibility: private → public
description: updated
Luke Faraone (lfaraone)
Changed in pithos (Ubuntu):
status: New → In Progress
assignee: nobody → Luke Faraone (lfaraone)
Revision history for this message
Reed Loden (reed) wrote :

Is it not possible to send the login information over SSL?

Revision history for this message
Luke Faraone (lfaraone) wrote :

Not as far as we're aware; the main login method used by the Pandora web client sends the password symmetrically encrypted.

We'll look into possibly logging in via SSL and transferring from an HTTP cookie to a LSO, but the protocol's use of blowfish means that the authentication token (be it password or cookie) can be sniffed regardless.

Changed in pithos:
status: Triaged → Fix Committed
assignee: nobody → Luke Faraone (lfaraone)
Changed in pithos:
status: Fix Committed → Fix Released
Revision history for this message
Reed Loden (reed) wrote :

Why even offer the 'unsafe_permissions' option at all? Do you actually know of a specific case where a user would need different permissions on the file? Seems like it would be unwise to add configuration options "just because".

Luke Faraone (lfaraone)
Changed in pithos (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pithos - 0.3.8-1

---------------
pithos (0.3.8-1) unstable; urgency=high

  * New upstream bugfix release.
  * SECURITY UPDATE: Pandora password leak to local users. (LP: #733307)
    - pithos/PreferencesPithosDialog.py: correct mode on pithos.ini on next
      run of pithos
    - bin/pithos: run permissions fixer, resave pithos.ini if fix applied
    - CVE-2011-1500
  * Drop 0001_cell_background_fix.patch and
    0002_long_song_format_fix_lp734962.patch, integrated upstream.

pithos (0.3.7-3) unstable; urgency=low

  * Correctly handle hour-long songs. (LP: #734962)
  * Switch to dh_python2. (closes: #616939)
  * Bump standards version, no changes needed.
 -- Luke Faraone <email address hidden> Wed, 13 Apr 2011 14:22:05 +0000

Changed in pithos (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.