password stored in plaintext in $HOME/.config/pithos.ini

MD5 is not an option since we need to send the plaintext password to Pandora. A slightly more ideal solution would be to use gnome-keyring, but I'd like to avoid a hard gnome dependency and most users store their gnome keyrings unencrypted anyway.

`chmod 600 .config/pithos.ini` would probably be a reasonable thing for Pithos, to do automatically, however

Also, the password is sent over the wire encrypted with a publicly-known (i.e. in the Pandora .swf and Pithos source) blowfish key.

Perhaps we should add a little notice indicating that Pithos does not store passwords securely, nor can it transmit them as such because of the aforementioned reasons.

We could also use python-keyring <http://pypi.python.org/pypi/keyring>, which is packaged in the repositories and abstracts away keyring access on GNOME, KDE, OSX. This way, the passwords are stored in a central location, which users can choose to protect if they so desire.

Is it not possible to send the login information over SSL?

Not as far as we're aware; the main login method used by the Pandora web client sends the password symmetrically encrypted.

We'll look into possibly logging in via SSL and transferring from an HTTP cookie to a LSO, but the protocol's use of blowfish means that the authentication token (be it password or cookie) can be sniffed regardless.

Why even offer the 'unsafe_permissions' option at all? Do you actually know of a specific case where a user would need different permissions on the file? Seems like it would be unwise to add configuration options "just because".

This bug was fixed in the package pithos - 0.3.8-1

---------------
pithos (0.3.8-1) unstable; urgency=high

  * New upstream bugfix release.
  * SECURITY UPDATE: Pandora password leak to local users. (LP: #733307)
    - pithos/PreferencesPithosDialog.py: correct mode on pithos.ini on next
      run of pithos
    - bin/pithos: run permissions fixer, resave pithos.ini if fix applied
    - CVE-2011-1500
  * Drop 0001_cell_background_fix.patch and
    0002_long_song_format_fix_lp734962.patch, integrated upstream.

pithos (0.3.7-3) unstable; urgency=low

  * Correctly handle hour-long songs. (LP: #734962)
  * Switch to dh_python2. (closes: #616939)
  * Bump standards version, no changes needed.
 -- Luke Faraone <email address hidden> Wed, 13 Apr 2011 14:22:05 +0000