Bug#861541: jessie-pu: package kedpm/1.0

Antoine Beaupre Sun, 30 Apr 2017 07:45:45 -0700

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu


A security issue came up in kedpm as shipped in stable (CVE-2017-8296,
#860817). It was marked "no-dsa" by the security team, to be fixed in
the next point release.

This is therefore my attempt at shipping that update. Unfortunately, I
will be offline very soon, for all of may, so it is unlikely that I
will be able to perform the upload myself, but hopefully someone can
take this and run if I don't respond in time to your permission. :)

Attached is the debdiff, I hope that covers it all...

A.

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (500, 'testing'), (1, 'unstable')
Architecture: amd64
 (x86_64)
Foreign Architectures: armhf

Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru kedpm-1.0/debian/changelog kedpm-1.0+deb8u1/debian/changelog
--- kedpm-1.0/debian/changelog  2012-11-30 15:45:14.000000000 -0500
+++ kedpm-1.0+deb8u1/debian/changelog   2017-04-26 20:44:11.000000000 -0400
@@ -1,3 +1,10 @@
+kedpm (1.0+deb8u1) jessie; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * fix information leak via command history file (Closes: #860817)
+
+ -- Antoine Beaupré <anar...@debian.org>  Wed, 26 Apr 2017 20:44:11 -0400
+
 kedpm (1.0) unstable; urgency=low
 
   * New upstream release.
diff -Nru 
kedpm-1.0/debian/patches/0001-always-prompt-for-password-and-do-not-save-to-databa.patch
 
kedpm-1.0+deb8u1/debian/patches/0001-always-prompt-for-password-and-do-not-save-to-databa.patch
--- 
kedpm-1.0/debian/patches/0001-always-prompt-for-password-and-do-not-save-to-databa.patch
    1969-12-31 19:00:00.000000000 -0500
+++ 
kedpm-1.0+deb8u1/debian/patches/0001-always-prompt-for-password-and-do-not-save-to-databa.patch
     2017-04-26 20:43:55.000000000 -0400
@@ -0,0 +1,61 @@
+From b8f7e8b3b2cb37425cb89b205c9836c6ac02a048 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anar...@debian.org>
+Date: Wed, 26 Apr 2017 16:58:56 -0400
+Subject: [PATCH 1/2] always prompt for password and do not save to database
+
+---
+ kedpm/frontends/cli.py | 38 +++++++++++++++-----------------------
+ 1 file changed, 15 insertions(+), 23 deletions(-)
+
+diff --git a/kedpm/frontends/cli.py b/kedpm/frontends/cli.py
+index c343138..27cfb70 100644
+--- a/kedpm/frontends/cli.py
++++ b/kedpm/frontends/cli.py
+@@ -591,29 +591,21 @@ def complete_rename(self, text, line, begidx, endidx):
+         return self.complete_dirs(text, line, begidx, endidx)
+ 
+     def do_passwd(self, arg):
+-        """Change master password for opened database
+-        
+-Syntax:
+-    password [new password]
+-
+-If new password is not provided with command, you will be promted to enter new
+-one.
+-"""
+-
+-        if not arg:
+-            # Password is not provided with command. Ask user for it
+-            pass1 = getpass(_("New password: "))
+-            pass2 = getpass(_("Repeat password: "))
+-            if pass1 == '':
+-                print _("Empty passwords are really insecure. You should " \
+-                        "create one.")
+-                return
+-            if pass1!=pass2:
+-                print _("Passwords don't match! Please repeat.")
+-                return
+-            new_pass = pass1
+-        else:
+-            new_pass = arg
++        """Change master password for opened database"""
++
++        # remove possibly master password from history file
++        readline.remove_history_item(readline.get_current_history_length()-1)
++        # Password is not provided with command. Ask user for it
++        pass1 = getpass(_("New password: "))
++        pass2 = getpass(_("Repeat password: "))
++        if pass1 == '':
++            print _("Empty passwords are really insecure. You should " \
++                    "create one.")
++            return
++        if pass1!=pass2:
++            print _("Passwords don't match! Please repeat.")
++            return
++        new_pass = pass1
+ 
+         self.pdb.changePassword(new_pass)
+         self.printMessage(_("Password changed."))
+-- 
+2.11.0
+
diff -Nru kedpm-1.0/debian/patches/series kedpm-1.0+deb8u1/debian/patches/series
--- kedpm-1.0/debian/patches/series     1969-12-31 19:00:00.000000000 -0500
+++ kedpm-1.0+deb8u1/debian/patches/series      2017-04-26 20:43:55.000000000 
-0400
@@ -0,0 +1 @@
+0001-always-prompt-for-password-and-do-not-save-to-databa.patch

Bug#861541: jessie-pu: package kedpm/1.0

Reply via email to