Bug 200323 (CVE-2006-3816)

Summary: CVE-2006-3816, krusader: cleartext passwords in bookmarks file
Product: [Fedora] Fedora Reporter: Ville Skyttä <scop>
Component: krusaderAssignee: Marcin Garski <mgarski>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: medium    
Version: 5CC: extras-qa, fedora-security-list
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-3816
Whiteboard:
Fixed In Version: 1.70.1-1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-07-31 13:59:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ville Skyttä 2006-07-26 20:34:32 UTC 
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-3816
http://krusader.sourceforge.net/phpBB/viewtopic.php?p=7965

Krusader 1.50-beta1 up to 1.70.0 stores passwords for remote connections in
cleartext in the bookmark file (krbookmarks.xml), which allows attackers to
steal passwords by obtaining the file.

FE[345] and devel affected.
Comment 1 Marcin Garski 2006-07-29 21:54:04 UTC 
Thanks for bug report. Bug is fixed in 1.70.1-1. Sorry for such delay in case of
security bug, but I was on holiday.
Comment 2 Ville Skyttä 2006-07-30 20:01:44 UTC 
Did you remember to push FC-5 and devel builds too?  FC-3 and FC-4 are at 1.70.1
but FC-5 and devel still at 1.70.0.
Comment 3 Marcin Garski 2006-07-31 13:59:55 UTC 
Yes I did, but I didn't noticed that result files from ppc builder couldn't be
downloaded. I've requeued that two packages and this time everything went fine.
Thanks for pointing out.