On 2017-06-27 22:39:23, Cyril Brulebois wrote:
> Control: tag -1 confirmed
>
> Antoine Beaupre <anar...@debian.org> (2017-04-30):
>> diff -Nru kedpm-1.0/debian/changelog kedpm-1.0+deb8u1/debian/changelog
>> --- kedpm-1.0/debian/changelog 2012-11-30 15:45:14.000000000 -0500
>> +++ kedpm-1.0+deb8u1/debian/changelog 2017-04-26 20:44:11.000000000
>> -0400
>> @@ -1,3 +1,10 @@
>> +kedpm (1.0+deb8u1) jessie; urgency=high
>> +
>> + * Non-maintainer upload by the Security Team.
>> + * fix information leak via command history file (Closes: #860817)
>> +
>> + -- Antoine Beaupré <anar...@debian.org> Wed, 26 Apr 2017 20:44:11 -0400
>> +
>> kedpm (1.0) unstable; urgency=low
>>
>> * New upstream release.
>> diff -Nru
>> kedpm-1.0/debian/patches/0001-always-prompt-for-password-and-do-not-save-to-databa.patch
>>
>> kedpm-1.0+deb8u1/debian/patches/0001-always-prompt-for-password-and-do-not-save-to-databa.patch
>> ---
>> kedpm-1.0/debian/patches/0001-always-prompt-for-password-and-do-not-save-to-databa.patch
>> 1969-12-31 19:00:00.000000000 -0500
>> +++
>> kedpm-1.0+deb8u1/debian/patches/0001-always-prompt-for-password-and-do-not-save-to-databa.patch
>> 2017-04-26 20:43:55.000000000 -0400
>> @@ -0,0 +1,61 @@
>> +From b8f7e8b3b2cb37425cb89b205c9836c6ac02a048 Mon Sep 17 00:00:00 2001
>> +From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anar...@debian.org>
>> +Date: Wed, 26 Apr 2017 16:58:56 -0400
>> +Subject: [PATCH 1/2] always prompt for password and do not save to database
>
> The 1/2 part seems a bit weird here; was the second patch relevant for
> this security fix?
No, it wasn't.
>> +- """Change master password for opened database
>> +-
>> +-Syntax:
>> +- password [new password]
>> +-
>> +-If new password is not provided with command, you will be promted to enter
>> new
>> +-one.
>> +-"""
>> +-
>> +- if not arg:
>> +- # Password is not provided with command. Ask user for it
>> +- pass1 = getpass(_("New password: "))
>> +- pass2 = getpass(_("Repeat password: "))
>> +- if pass1 == '':
>> +- print _("Empty passwords are really insecure. You should "
>> \
>> +- "create one.")
>> +- return
>> +- if pass1!=pass2:
>> +- print _("Passwords don't match! Please repeat.")
>> +- return
>> +- new_pass = pass1
>> +- else:
>> +- new_pass = arg
>> ++ """Change master password for opened database"""
>> ++
>> ++ # remove possibly master password from history file
>> ++
>> readline.remove_history_item(readline.get_current_history_length()-1)
>
> I'm assuming the history was already updated to include the last/current
> command?
Yes: the command handling framework automatically records the current
command in the history.
>> ++ # Password is not provided with command. Ask user for it
>
> I suppose this became a bit of a lie. :) Feel free to replace it with
> “Always ask the user for the password”, or remove it entirely.
>
> With or without the comment fix, feel free to upload.
Thanks.
A.
--
We are discreet sheep; we wait to see how the drove is going, and then go
with the drove.
- Mark Twain
