Opened 11 years ago

Last modified 11 years ago

#5872 new patch

Fix for master password expose for pidgin

Reported by: ubuntugeek Owned by: rlaager
Milestone: Patches Needing Improvement Component: libpurple
Version: 2.4.2 Keywords: master password
Cc:

Description

Pidgin stores you passwords in plain text in ~/.purple/accounts.xml.Someone can easily boot into recovery mode while you are away and find your passwords in plain text.

You can download the patch from Here

Attachments (1)

master-password.patch (35.3 KB) - added by rlaager 11 years ago.

Download all attachments as: .zip

Change History (8)

comment:1 Changed 11 years ago by deryni

  • Owner changed from lschiere to rlaager

This patch is unlikely to be accepted as is for a number of reasons, not least of which is the fact that it adds a hard dependency on NSS to pidgin. But also the fact that the correct way to do this is to integrate pidgin with existing system password storage systems (a task for which there is a SoC project this year). I'm assigning this to the SoC mentor for that project in case it has any use there.

Oh, one last thing, there really isn't any point to tarring up a single file, it just adds extraction annoyance for people downloading it.

Changed 11 years ago by rlaager

comment:2 Changed 11 years ago by rlaager

  • Milestone set to Patches Needing Improvement

I'm copying the patch here so that we have a copy of it. I think we may end up doing a backend based on this.

comment:3 Changed 11 years ago by datallah

Ticket #7215 has been marked as a duplicate of this ticket.

comment:4 Changed 11 years ago by mlissner

Is there any hope of a fix for this? The summer is nearly over?

comment:5 Changed 11 years ago by rlaager

The code from SoC is pretty close to ready. The problem is that it makes backwards-incompatible changes to the API. Those can be avoided, but only with dirty hackery that isn't guaranteed to work. At this point, we're working towards a 3.0.0 release where we can bundle up a number of these backwards-incompatible changes.

comment:6 Changed 11 years ago by mlissner

Ah, I see. Thanks for the update then. That makes sense, especially considering certain things such as the empathy vs pidgin debate.

comment:7 Changed 11 years ago by rekkanoryo

  • Component changed from unclassified to libpurple
Note: See TracTickets for help on using tickets.
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!