[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Credentials held unencrypted in memory during runtime

From: Simon Large <simon.tortoisesvn_at_gmail.com>
Date: Thu, 14 Apr 2011 10:29:52 +0100

On 13 April 2011 14:29, Pablo M. Dotro <pdotro_at_df.uba.ar> wrote:
> On 13/04/2011 09:55 a.m., Feldhacker, Chris wrote:
>> http://www.wandisco.com/subversion/tortoisesvn-support
>> "Stefan Küng, the TortoiseSVN project's lead developer since 2003, heads WANdisco's team of professionals dedicated to the support, development and enhancement of this widely used Subversion client. This enables us to deliver critical fixes without any delay."
>>
>> I'd be curious if Stefan's views of secure coding best practices is also the official position of WANdisco...
>> Anybody out there with an official support contract with WANdisco want to report this issue through official channels and see where it leads?  It's always interesting to gauge just how much vendors selling support for open source products really can/cannot have an influence...  Would WANdisco's response also be "go away"?
>>
> Going over the head of the project's lead developer in public, on his
> own users list... not polite.
> I would point *another* obvious angle: TortoiseSVN is open source. I am
> sure that if the interested parties submit a patch that remedies this
> perceived vulnerability, it will be considered. And even if it's not,
> everyone is free to create a derivative and include it in their own builds.

Just to update people, Stefan has added code so that passwords are now
stored in encrypted form in memory rather than in plaintext. This
change has been backported to the 1.6.x stable branch. This addresses
the original complaint in the subject line of this email. A determined
hacker who has access to that memory through whatever means, and who
can determine where to look, can of course decrypt them, but it adds
one more layer of difficulty to the process.

Simon

-- 
:       ___
:  oo  // \\      "De Chelonian Mobile"
: (_,\/ \_/ \     TortoiseSVN
:   \ \_/_\_/>    The coolest Interface to (Sub)Version Control
:   /_/   \_\     http://tortoisesvn.net
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2719716
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2011-04-14 11:29:56 CEST

This is an archived mail posted to the TortoiseSVN Users mailing list.