[Bug 278118] games/openttd: Patch adds insecure functionality

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 01 Apr 2024 21:09:27 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=278118

            Bug ID: 278118
           Summary: games/openttd: Patch adds insecure functionality
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: Individual Port(s)
          Assignee: danfe@FreeBSD.org
          Reporter: charlespigott@googlemail.com
          Assignee: danfe@FreeBSD.org
             Flags: maintainer-feedback?(danfe@FreeBSD.org)

There is a patch in the OpenTTD port that adds functionality to save passwords
from network games out to a file (presumably so they can be reloaded again on
restart).

This was added quite some time ago, in 2014, for no reason that I can tell just
from the commit.

https://gitlab.com/FreeBSD/freebsd-ports/-/blob/main/games/openttd/files/extra-patch-save-passwords

Even though this patch is guarded by a WITH_SAVE_PASSWORDS define, it feels
very wrong that the official port should make any changes to the functionality
of the program, and certainly not one that saves passwords out in plain text to
an arbitrary file.

(Incidentally, OTTD will likely have some actual password saving feature for
the next major release with actual cryptographically secure storage, but that
work is still ongoing)

-- 
You are receiving this mail because:
You are the assignee for the bug.