tags 680059 patch thanks
Hello Stefan, I talk about this issue with Mikel Olasagasti an upstream developer and he plan to fix it but he can't do it until the end of the month. Meantime he advice me some quick fixes like simply disabling FPM exporter or warn about is it an insecure format. Finally I choose to totally disable it because I think there is a big mistake in the generated xml which does not seem to respect the FPM format specification. So I done this by set 'importer', 'exporter' and 'encryption' var to 'False' in 'src/lib/datahandler/fpm.py' file. It's a quick fix but it satisfy the security issue. I attached a debdiff and a git-format patches. Best regards, Thomas Pierson
>From 559383f2c566dff9a1ca0c1771b38256c9e2c84a Mon Sep 17 00:00:00 2001 From: Thomas Pierson <cont...@thomaspierson.fr> Date: Thu, 9 Aug 2012 09:37:57 +0200 Subject: [PATCH] add a patch to fix bug #680059 --- debian/changelog | 7 ++++++ ...pm-exporter-doesnt-encrypt-password-files.patch | 24 ++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 32 insertions(+) create mode 100644 debian/patches/fix-fpm-exporter-doesnt-encrypt-password-files.patch diff --git a/debian/changelog b/debian/changelog index 07d1d8e..4307ffb 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +revelation (0.4.13-1.1) unstable; urgency=low + + * Non-maintainer upload. + - Add a new patch to fix CVE-2012-3818 (Closes: #680059) + + -- Thomas Pierson <cont...@thomaspierson.fr> Fri, 20 Jul 2012 12:12:24 +0200 + revelation (0.4.13-1) unstable; urgency=low * New upstream release (Closes: #595702, #551754, #586646, #293720, #269842) diff --git a/debian/patches/fix-fpm-exporter-doesnt-encrypt-password-files.patch b/debian/patches/fix-fpm-exporter-doesnt-encrypt-password-files.patch new file mode 100644 index 0000000..3dd0e4d --- /dev/null +++ b/debian/patches/fix-fpm-exporter-doesnt-encrypt-password-files.patch @@ -0,0 +1,24 @@ +Description: Fix FPM exporter doesn't encrypt password files + FPM exporter does not seem to work correcty and this introduce a security issue. + . + Upstream plan to fix the FPM exporter soon but meantime it is better to disable it. +Author: Thomas Pierson +Forwarded: https://bitbucket.org/erikg/revelation/issue/78/fpm-exporter-doesnt-encrypt-password-files +Bug-Debian: http://bugs.debian.org/680059 + +--- +--- a/src/lib/datahandler/fpm.py ++++ b/src/lib/datahandler/fpm.py +@@ -38,9 +38,9 @@ + "Data handler for Figaro's Password Manager data" + + name = "Figaro's Password Manager" +- importer = True +- exporter = True +- encryption = True ++ importer = False ++ exporter = False ++ encryption = False + + + def __init__(self): diff --git a/debian/patches/series b/debian/patches/series index dc10e66..66e71e0 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ +fix-fpm-exporter-doesnt-encrypt-password-files.patch 060_crash_at_save.dpatch #130_tooltip_deprecation.dpatch 010-icons.patch -- 1.7.10.4
diff -Nru revelation-0.4.13/debian/changelog revelation-0.4.13/debian/changelog --- revelation-0.4.13/debian/changelog 2012-06-08 11:31:25.000000000 +0200 +++ revelation-0.4.13/debian/changelog 2012-08-08 13:49:19.000000000 +0200 @@ -1,3 +1,10 @@ +revelation (0.4.13-1.1) unstable; urgency=low + + * Non-maintainer upload. + - Add a new patch to fix CVE-2012-3818 (Closes: #680059) + + -- Thomas Pierson <cont...@thomaspierson.fr> Fri, 20 Jul 2012 12:12:24 +0200 + revelation (0.4.13-1) unstable; urgency=low * New upstream release (Closes: #595702, #551754, #586646, #293720, #269842) diff -Nru revelation-0.4.13/debian/patches/fix-fpm-exporter-doesnt-encrypt-password-files.patch revelation-0.4.13/debian/patches/fix-fpm-exporter-doesnt-encrypt-password-files.patch --- revelation-0.4.13/debian/patches/fix-fpm-exporter-doesnt-encrypt-password-files.patch 1970-01-01 01:00:00.000000000 +0100 +++ revelation-0.4.13/debian/patches/fix-fpm-exporter-doesnt-encrypt-password-files.patch 2012-08-08 14:37:02.000000000 +0200 @@ -0,0 +1,24 @@ +Description: Fix FPM exporter doesn't encrypt password files + FPM exporter does not seem to work correcty and this introduce a security issue. + . + Upstream plan to fix the FPM exporter soon but meantime it is better to disable it. +Author: Thomas Pierson +Forwarded: https://bitbucket.org/erikg/revelation/issue/78/fpm-exporter-doesnt-encrypt-password-files +Bug-Debian: http://bugs.debian.org/680059 + +--- +--- a/src/lib/datahandler/fpm.py ++++ b/src/lib/datahandler/fpm.py +@@ -38,9 +38,9 @@ + "Data handler for Figaro's Password Manager data" + + name = "Figaro's Password Manager" +- importer = True +- exporter = True +- encryption = True ++ importer = False ++ exporter = False ++ encryption = False + + + def __init__(self): diff -Nru revelation-0.4.13/debian/patches/series revelation-0.4.13/debian/patches/series --- revelation-0.4.13/debian/patches/series 2012-06-08 11:31:25.000000000 +0200 +++ revelation-0.4.13/debian/patches/series 2012-08-08 14:26:16.000000000 +0200 @@ -1,3 +1,4 @@ +fix-fpm-exporter-doesnt-encrypt-password-files.patch 060_crash_at_save.dpatch #130_tooltip_deprecation.dpatch 010-icons.patch