Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
A security issue came up in kedpm as shipped in stable (CVE-2017-8296, #860817). It was marked "no-dsa" by the security team, to be fixed in the next point release. This is therefore my attempt at shipping that update. Unfortunately, I will be offline very soon, for all of may, so it is unlikely that I will be able to perform the upload myself, but hopefully someone can take this and run if I don't respond in time to your permission. :) Attached is the debdiff, I hope that covers it all... A. -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (500, 'testing'), (1, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: armhf Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system)
diff -Nru kedpm-1.0/debian/changelog kedpm-1.0+deb8u1/debian/changelog --- kedpm-1.0/debian/changelog 2012-11-30 15:45:14.000000000 -0500 +++ kedpm-1.0+deb8u1/debian/changelog 2017-04-26 20:44:11.000000000 -0400 @@ -1,3 +1,10 @@ +kedpm (1.0+deb8u1) jessie; urgency=high + + * Non-maintainer upload by the Security Team. + * fix information leak via command history file (Closes: #860817) + + -- Antoine Beaupré <anar...@debian.org> Wed, 26 Apr 2017 20:44:11 -0400 + kedpm (1.0) unstable; urgency=low * New upstream release. diff -Nru kedpm-1.0/debian/patches/0001-always-prompt-for-password-and-do-not-save-to-databa.patch kedpm-1.0+deb8u1/debian/patches/0001-always-prompt-for-password-and-do-not-save-to-databa.patch --- kedpm-1.0/debian/patches/0001-always-prompt-for-password-and-do-not-save-to-databa.patch 1969-12-31 19:00:00.000000000 -0500 +++ kedpm-1.0+deb8u1/debian/patches/0001-always-prompt-for-password-and-do-not-save-to-databa.patch 2017-04-26 20:43:55.000000000 -0400 @@ -0,0 +1,61 @@ +From b8f7e8b3b2cb37425cb89b205c9836c6ac02a048 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anar...@debian.org> +Date: Wed, 26 Apr 2017 16:58:56 -0400 +Subject: [PATCH 1/2] always prompt for password and do not save to database + +--- + kedpm/frontends/cli.py | 38 +++++++++++++++----------------------- + 1 file changed, 15 insertions(+), 23 deletions(-) + +diff --git a/kedpm/frontends/cli.py b/kedpm/frontends/cli.py +index c343138..27cfb70 100644 +--- a/kedpm/frontends/cli.py ++++ b/kedpm/frontends/cli.py +@@ -591,29 +591,21 @@ def complete_rename(self, text, line, begidx, endidx): + return self.complete_dirs(text, line, begidx, endidx) + + def do_passwd(self, arg): +- """Change master password for opened database +- +-Syntax: +- password [new password] +- +-If new password is not provided with command, you will be promted to enter new +-one. +-""" +- +- if not arg: +- # Password is not provided with command. Ask user for it +- pass1 = getpass(_("New password: ")) +- pass2 = getpass(_("Repeat password: ")) +- if pass1 == '': +- print _("Empty passwords are really insecure. You should " \ +- "create one.") +- return +- if pass1!=pass2: +- print _("Passwords don't match! Please repeat.") +- return +- new_pass = pass1 +- else: +- new_pass = arg ++ """Change master password for opened database""" ++ ++ # remove possibly master password from history file ++ readline.remove_history_item(readline.get_current_history_length()-1) ++ # Password is not provided with command. Ask user for it ++ pass1 = getpass(_("New password: ")) ++ pass2 = getpass(_("Repeat password: ")) ++ if pass1 == '': ++ print _("Empty passwords are really insecure. You should " \ ++ "create one.") ++ return ++ if pass1!=pass2: ++ print _("Passwords don't match! Please repeat.") ++ return ++ new_pass = pass1 + + self.pdb.changePassword(new_pass) + self.printMessage(_("Password changed.")) +-- +2.11.0 + diff -Nru kedpm-1.0/debian/patches/series kedpm-1.0+deb8u1/debian/patches/series --- kedpm-1.0/debian/patches/series 1969-12-31 19:00:00.000000000 -0500 +++ kedpm-1.0+deb8u1/debian/patches/series 2017-04-26 20:43:55.000000000 -0400 @@ -0,0 +1 @@ +0001-always-prompt-for-password-and-do-not-save-to-databa.patch