Bug#680059: revelation: FPM exporter doesn't encrypt password files [CVE-2012-3818]

Thomas Pierson Thu, 09 Aug 2012 02:00:15 -0700

tags 680059 patch
thanks


Hello Stefan,

I talk about this issue with Mikel Olasagasti an upstream developer and
he plan to fix it but he can't do it until the end of the month.

Meantime he advice me some quick fixes like simply disabling FPM
exporter or warn about is it an insecure format.

Finally I choose to totally disable it because I think there is a big
mistake in the generated xml which does not seem to respect the FPM
format specification.

So I done this by set 'importer', 'exporter' and 'encryption' var to
'False' in 'src/lib/datahandler/fpm.py' file.

It's a quick fix but it satisfy the security issue.

I attached a debdiff and a git-format patches.

Best regards,

Thomas Pierson

>From 559383f2c566dff9a1ca0c1771b38256c9e2c84a Mon Sep 17 00:00:00 2001
From: Thomas Pierson <cont...@thomaspierson.fr>
Date: Thu, 9 Aug 2012 09:37:57 +0200
Subject: [PATCH] add a patch to fix bug #680059

---
 debian/changelog                                   |    7 ++++++
 ...pm-exporter-doesnt-encrypt-password-files.patch |   24 ++++++++++++++++++++
 debian/patches/series                              |    1 +
 3 files changed, 32 insertions(+)
 create mode 100644 debian/patches/fix-fpm-exporter-doesnt-encrypt-password-files.patch

diff --git a/debian/changelog b/debian/changelog
index 07d1d8e..4307ffb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+revelation (0.4.13-1.1) unstable; urgency=low
+
+  * Non-maintainer upload.
+    - Add a new patch to fix CVE-2012-3818 (Closes: #680059)
+
+ -- Thomas Pierson <cont...@thomaspierson.fr>  Fri, 20 Jul 2012 12:12:24 +0200
+
 revelation (0.4.13-1) unstable; urgency=low
 
   * New upstream release (Closes: #595702, #551754, #586646, #293720, #269842)
diff --git a/debian/patches/fix-fpm-exporter-doesnt-encrypt-password-files.patch b/debian/patches/fix-fpm-exporter-doesnt-encrypt-password-files.patch
new file mode 100644
index 0000000..3dd0e4d
--- /dev/null
+++ b/debian/patches/fix-fpm-exporter-doesnt-encrypt-password-files.patch
@@ -0,0 +1,24 @@
+Description: Fix FPM exporter doesn't encrypt password files
+  FPM exporter does not seem to work correcty and this introduce a security issue.
+  .
+  Upstream plan to fix the FPM exporter soon but meantime it is better to disable it.
+Author: Thomas Pierson
+Forwarded: https://bitbucket.org/erikg/revelation/issue/78/fpm-exporter-doesnt-encrypt-password-files
+Bug-Debian: http://bugs.debian.org/680059
+
+---
+--- a/src/lib/datahandler/fpm.py
++++ b/src/lib/datahandler/fpm.py
+@@ -38,9 +38,9 @@
+ 	"Data handler for Figaro's Password Manager data"
+ 
+ 	name		= "Figaro's Password Manager"
+-	importer	= True
+-	exporter	= True
+-	encryption	= True
++	importer	= False
++	exporter	= False
++	encryption	= False
+ 
+ 
+ 	def __init__(self):
diff --git a/debian/patches/series b/debian/patches/series
index dc10e66..66e71e0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
+fix-fpm-exporter-doesnt-encrypt-password-files.patch
 060_crash_at_save.dpatch
 #130_tooltip_deprecation.dpatch
 010-icons.patch
-- 
1.7.10.4

diff -Nru revelation-0.4.13/debian/changelog revelation-0.4.13/debian/changelog
--- revelation-0.4.13/debian/changelog  2012-06-08 11:31:25.000000000 +0200
+++ revelation-0.4.13/debian/changelog  2012-08-08 13:49:19.000000000 +0200
@@ -1,3 +1,10 @@
+revelation (0.4.13-1.1) unstable; urgency=low
+
+  * Non-maintainer upload.
+    - Add a new patch to fix CVE-2012-3818 (Closes: #680059)
+
+ -- Thomas Pierson <cont...@thomaspierson.fr>  Fri, 20 Jul 2012 12:12:24 +0200
+
 revelation (0.4.13-1) unstable; urgency=low
 
   * New upstream release (Closes: #595702, #551754, #586646, #293720, #269842)
diff -Nru 
revelation-0.4.13/debian/patches/fix-fpm-exporter-doesnt-encrypt-password-files.patch
 
revelation-0.4.13/debian/patches/fix-fpm-exporter-doesnt-encrypt-password-files.patch
--- 
revelation-0.4.13/debian/patches/fix-fpm-exporter-doesnt-encrypt-password-files.patch
       1970-01-01 01:00:00.000000000 +0100
+++ 
revelation-0.4.13/debian/patches/fix-fpm-exporter-doesnt-encrypt-password-files.patch
       2012-08-08 14:37:02.000000000 +0200
@@ -0,0 +1,24 @@
+Description: Fix FPM exporter doesn't encrypt password files
+  FPM exporter does not seem to work correcty and this introduce a security 
issue.
+  .
+  Upstream plan to fix the FPM exporter soon but meantime it is better to 
disable it.
+Author: Thomas Pierson
+Forwarded: 
https://bitbucket.org/erikg/revelation/issue/78/fpm-exporter-doesnt-encrypt-password-files
+Bug-Debian: http://bugs.debian.org/680059
+
+---
+--- a/src/lib/datahandler/fpm.py
++++ b/src/lib/datahandler/fpm.py
+@@ -38,9 +38,9 @@
+       "Data handler for Figaro's Password Manager data"
+ 
+       name            = "Figaro's Password Manager"
+-      importer        = True
+-      exporter        = True
+-      encryption      = True
++      importer        = False
++      exporter        = False
++      encryption      = False
+ 
+ 
+       def __init__(self):
diff -Nru revelation-0.4.13/debian/patches/series 
revelation-0.4.13/debian/patches/series
--- revelation-0.4.13/debian/patches/series     2012-06-08 11:31:25.000000000 
+0200
+++ revelation-0.4.13/debian/patches/series     2012-08-08 14:26:16.000000000 
+0200
@@ -1,3 +1,4 @@
+fix-fpm-exporter-doesnt-encrypt-password-files.patch
 060_crash_at_save.dpatch
 #130_tooltip_deprecation.dpatch
 010-icons.patch

Bug#680059: revelation: FPM exporter doesn't encrypt password files [CVE-2012-3818]

Reply via email to