Re: Credentials held unencrypted in memory during runtime

From: Dale McCoy <dalestan_at_gmail.com>
Date: Mon, 11 Apr 2011 16:38:20 -0400

> While we test a scenario we found the TortoiseSVN client application
> holds the username and password strings in clear text within the
> memory during runtime, The sensitive information (e.g. password) is
> loaded into a variable during the authentication phase. The variable
> is not cleared after the initial use. It is possible to extract the
> TortoiseSVN strings stored in memory and obtain a valid password.
>
> Please let us know is security issue fixed in the upcoming release.

Why is this a security issue? Do you not trust the software running on
your development machines? If not, why are you letting this untrusted
software run on a machine with access to your source code?

It is not impossible that this is an issue with the subversion
libraries, not TortoiseSVN. Can this issue be observed in the
command-line client?

Dale McCoy

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2718956

To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2011-04-11 22:38:45 CEST

This message: [ Message body ]
Next message: Arthur Schwarz: "Re: Credentials held unencrypted in memory during runtime"
Previous message: Andy Stromme: "RE: svn update fails quietly"
In reply to: Annamalai: "Credentials held unencrypted in memory during runtime"
Next in thread: Arthur Schwarz: "Re: Credentials held unencrypted in memory during runtime"
Reply: Arthur Schwarz: "Re: Credentials held unencrypted in memory during runtime"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]