Debian Bug report logs -
#860817
kedpm: CVE-2017-8296: Information leak via the command history file
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Antoine Beaupré <anarcat@debian.org>:
Bug#860817; Package src:kedpm.
(Thu, 20 Apr 2017 15:00:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Gabriel Filion <gabster@lelutin.ca>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Antoine Beaupré <anarcat@debian.org>.
(Thu, 20 Apr 2017 15:00:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: kedpm
Version: 1.0
Severity: grave
Tags: upstream security
Justification: user security hole
Hello,
I've discovered an information leak that can give some hints about what ppl
search and read in the password manager.
kedpm is creating a history file in ~/.kedpm/history that is written in clear
text. All of the commands that are done in the password manager are writted
there.
This also means that if someone uses the "password" command with the password
as an argument to change the database's master password, the new password gets
leaked in plaintext to that file!
The issue was already reported upstream[0]. However, the upstream project seems
to be unmoving since a couple of years already.
[0]: https://sourceforge.net/p/kedpm/bugs/6/
I've discovered the bug in wheezy, so in 0.5.0 but the same problem applies to
later releases.
-- System Information:
Debian Release: 9.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_CA.utf8, LC_CTYPE=en_CA.utf8 (charmap=UTF-8) (ignored: LC_ALL set to en_CA.utf8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Information forwarded
to debian-bugs-dist@lists.debian.org, Antoine Beaupré <anarcat@debian.org>:
Bug#860817; Package src:kedpm.
(Wed, 26 Apr 2017 21:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Antoine Beaupré <anarcat@anarc.at>:
Extra info received and forwarded to list. Copy sent to Antoine Beaupré <anarcat@debian.org>.
(Wed, 26 Apr 2017 21:03:04 GMT) (full text, mbox, link).
Message #10 received at 860817@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags -1 +patch
I have requested a CVE on the oss-security mailing list.
In the meantime, there's this patch that should apply to jessie and can
probably be backported to wheezy as well.
It simply removes the "passwd" entries from the history before it is
written to disk. It will not hide other password names that are created
or fetched from the database, but I consider that a minor issue that
doesn't warrant a full rearchitecture.
I have also requested complete removal of kedpm from sid/stretch, as it
is unmaintained, see #861277.
A.
--
Brief is this existence, as a fleeting visit in a strange house.
The path to be pursued is poorly lit by a flickering consciousness.
- Albert Einstein
[0001-always-prompt-for-password-and-do-not-save-to-databa.patch (text/x-diff, inline)]
From 247287a9fbe05db9279771e67dae8082bc3bdba2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anarcat@debian.org>
Date: Wed, 26 Apr 2017 16:58:56 -0400
Subject: [PATCH] always prompt for password and do not save to database
---
kedpm/frontends/cli.py | 38 +++++++++++++++-----------------------
1 file changed, 15 insertions(+), 23 deletions(-)
diff --git a/kedpm/frontends/cli.py b/kedpm/frontends/cli.py
index db1c27d..1f9df46 100644
--- a/kedpm/frontends/cli.py
+++ b/kedpm/frontends/cli.py
@@ -591,29 +591,21 @@ def complete_rename(self, text, line, begidx, endidx):
return self.complete_dirs(text, line, begidx, endidx)
def do_passwd(self, arg):
- """Change master password for opened database
-
-Syntax:
- password [new password]
-
-If new password is not provided with command, you will be promted to enter new
-one.
-"""
-
- if not arg:
- # Password is not provided with command. Ask user for it
- pass1 = getpass(_("New password: "))
- pass2 = getpass(_("Repeat password: "))
- if pass1 == '':
- print _("Empty passwords are really insecure. You should " \
- "create one.")
- return
- if pass1!=pass2:
- print _("Passwords don't match! Please repeat.")
- return
- new_pass = pass1
- else:
- new_pass = arg
+ """Change master password for opened database"""
+
+ # remove possibly master password from history file
+ readline.remove_history_item(readline.get_current_history_length()-1)
+ # Password is not provided with command. Ask user for it
+ pass1 = getpass(_("New password: "))
+ pass2 = getpass(_("Repeat password: "))
+ if pass1 == '':
+ print _("Empty passwords are really insecure. You should " \
+ "create one.")
+ return
+ if pass1!=pass2:
+ print _("Passwords don't match! Please repeat.")
+ return
+ new_pass = pass1
self.pdb.changePassword(new_pass)
self.printMessage(_("Password changed."))
--
2.11.0
Added tag(s) patch.
Request was from Antoine Beaupré <anarcat@anarc.at>
to 860817-submit@bugs.debian.org.
(Wed, 26 Apr 2017 21:03:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Antoine Beaupré <anarcat@debian.org>:
Bug#860817; Package src:kedpm.
(Thu, 27 Apr 2017 04:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Antoine Beaupré <anarcat@debian.org>.
(Thu, 27 Apr 2017 04:27:04 GMT) (full text, mbox, link).
Message #17 received at 860817@bugs.debian.org (full text, mbox, reply):
Hi,
On Wed, Apr 26, 2017 at 05:01:30PM -0400, Antoine Beaupr?? wrote:
> Control: tags -1 +patch
>
> I have requested a CVE on the oss-security mailing list.
Please note that requests are done now via
https://cveform.mitre.org/
Can you please fill a request via that channel?
Regards,
Salvatore
Marked as found in versions kedpm/0.5.0-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 27 Apr 2017 07:36:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Antoine Beaupré <anarcat@debian.org>:
Bug#860817; Package src:kedpm.
(Thu, 27 Apr 2017 12:45:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Antoine Beaupré <anarcat@anarc.at>:
Extra info received and forwarded to list. Copy sent to Antoine Beaupré <anarcat@debian.org>.
(Thu, 27 Apr 2017 12:45:03 GMT) (full text, mbox, link).
Message #26 received at 860817@bugs.debian.org (full text, mbox, reply):
On 2017-04-27 06:24:25, Salvatore Bonaccorso wrote:
> Hi,
>
> On Wed, Apr 26, 2017 at 05:01:30PM -0400, Antoine Beaupr?? wrote:
>> Control: tags -1 +patch
>>
>> I have requested a CVE on the oss-security mailing list.
>
> Please note that requests are done now via
>
> https://cveform.mitre.org/
>
> Can you please fill a request via that channel?
Done.
--
We must shift America from a needs- to a desires-culture. People must
be trained to desire, to want new things, even before the old have
been entirely consumed. Man's desires must overshadow his needs.
- Paul Mazur, Lehman Brothers
Information forwarded
to debian-bugs-dist@lists.debian.org, Antoine Beaupré <anarcat@debian.org>:
Bug#860817; Package src:kedpm.
(Fri, 28 Apr 2017 04:15:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Antoine Beaupré <anarcat@debian.org>.
(Fri, 28 Apr 2017 04:15:06 GMT) (full text, mbox, link).
Message #31 received at 860817@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 kedpm: CVE-2017-8296: Information leak via the command history file
CVE-2017-8296 has been assigned for this vulnerability.
Regards,
Salvatore
Changed Bug title to 'kedpm: CVE-2017-8296: Information leak via the command history file' from 'kedpm: Information leak via the command history file'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 860817-submit@bugs.debian.org.
(Fri, 28 Apr 2017 04:15:06 GMT) (full text, mbox, link).
Reply sent
to Debian FTP Masters <ftpmaster@ftp-master.debian.org>:
You have taken responsibility.
(Fri, 28 Apr 2017 08:21:32 GMT) (full text, mbox, link).
Notification sent
to Gabriel Filion <gabster@lelutin.ca>:
Bug acknowledged by developer.
(Fri, 28 Apr 2017 08:21:32 GMT) (full text, mbox, link).
Message #38 received at 860817-done@bugs.debian.org (full text, mbox, reply):
Version: 1.0+rm
Dear submitter,
as the package kedpm has just been removed from the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see https://bugs.debian.org/861277
The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.
Debian distribution maintenance software
pp.
Chris Lamb (the ftpmaster behind the curtain)
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 18 Jun 2017 07:27:38 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:37:48 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon