Package: krusader Version: 1.51-1 Followup-For: Bug #380063 I tested this with sarge's krusader and can't reproduce this exploit. Although the file krbookmarks.xml is created group- and world-readable (that can and should be easily fixed), the directory it is in is not. For the path /home/alec/.kde/share/apps/krusader/krbookmarks.xml, none of .kde, share, apps, or krusader is group- or world-readable (or writable/executable). The user would have to manually change the permissions on those directories for this to be exploitable.
Additionally, I found it difficult to even save the password to the bookmarks file. When I typed in a URL with password into the right-hand pane and pressed enter, the password was stripped out of the URL after it was used. I could not use the bookmark button to make a new bookmark before the URL had been stripped; it would only allow me to bookmark the current directory. I could make Krusader write the password to the bookmarks file, but only after manually editing it using the bookmark manager to include the password. -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.6.8-2-386 Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) Versions of packages krusader depends on: ii kdelibs4 4:3.3.2-6.4 KDE core libraries ii libart-2.0-2 2.3.17-1 Library of functions for 2D graphi ii libaudio2 1.7-2 The Network Audio System (NAS). (s ii libc6 2.3.2.ds1-22sarge3 GNU C Library: Shared libraries an ii libfam0c102 2.7.0-6sarge1 client library to control the FAM ii libfontconfig1 2.3.1-2 generic font configuration library ii libfreetype6 2.1.7-2.5 FreeType 2 font engine, shared lib ii libgcc1 1:3.4.3-13 GCC support library ii libice6 4.3.0.dfsg.1-14sarge1 Inter-Client Exchange library ii libidn11 0.5.13-1.0 GNU libidn library, implementation ii libjpeg62 6b-10 The Independent JPEG Group's JPEG ii libpcre3 4.5-1.2sarge1 Perl 5 Compatible Regular Expressi ii libpng12-0 1.2.8rel-1 PNG library - runtime ii libqt3c102-mt 3:3.3.4-3 Qt GUI Library (Threaded runtime v ii libsm6 4.3.0.dfsg.1-14sarge1 X Window System Session Management ii libstdc++5 1:3.3.5-13 The GNU Standard C++ Library v3 ii libx11-6 4.3.0.dfsg.1-14sarge1 X Window System protocol client li ii libxcursor1 1.1.3-1 X cursor management library ii libxext6 4.3.0.dfsg.1-14sarge1 X Window System miscellaneous exte ii libxft2 2.1.7-1 FreeType-based font drawing librar ii libxrandr2 4.3.0.dfsg.1-14sarge1 X Window System Resize, Rotate and ii libxrender1 0.8.3-7 X Rendering Extension client libra ii libxt6 4.3.0.dfsg.1-14sarge1 X Toolkit Intrinsics ii xlibs 4.3.0.dfsg.1-14sarge1 X Keyboard Extension (XKB) configu ii zlib1g 1:1.2.2-4.sarge.2 compression library - runtime -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
