Bug#860817: kedpm: Information leak via the command history file
Control: retitle -1 kedpm: CVE-2017-8296: Information leak via the command history file CVE-2017-8296 has been assigned for this vulnerability. Regards, Salvatore
Bug#860817: kedpm: Information leak via the command history file
On 2017-04-27 06:24:25, Salvatore Bonaccorso wrote: > Hi, > > On Wed, Apr 26, 2017 at 05:01:30PM -0400, Antoine Beaupr?? wrote: >> Control: tags -1 +patch >> >> I have requested a CVE on the oss-security mailing list. > > Please note that requests are done now via > > https://cveform.mitre.org/ > > Can you please fill a request via that channel? Done. -- We must shift America from a needs- to a desires-culture. People must be trained to desire, to want new things, even before the old have been entirely consumed. Man's desires must overshadow his needs. - Paul Mazur, Lehman Brothers
Bug#860817: kedpm: Information leak via the command history file
Hi, On Wed, Apr 26, 2017 at 05:01:30PM -0400, Antoine Beaupr?? wrote: > Control: tags -1 +patch > > I have requested a CVE on the oss-security mailing list. Please note that requests are done now via https://cveform.mitre.org/ Can you please fill a request via that channel? Regards, Salvatore
Bug#860817: kedpm: Information leak via the command history file
Control: tags -1 +patch I have requested a CVE on the oss-security mailing list. In the meantime, there's this patch that should apply to jessie and can probably be backported to wheezy as well. It simply removes the "passwd" entries from the history before it is written to disk. It will not hide other password names that are created or fetched from the database, but I consider that a minor issue that doesn't warrant a full rearchitecture. I have also requested complete removal of kedpm from sid/stretch, as it is unmaintained, see #861277. A. -- Brief is this existence, as a fleeting visit in a strange house. The path to be pursued is poorly lit by a flickering consciousness. - Albert Einstein >From 247287a9fbe05db9279771e67dae8082bc3bdba2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?=Date: Wed, 26 Apr 2017 16:58:56 -0400 Subject: [PATCH] always prompt for password and do not save to database --- kedpm/frontends/cli.py | 38 +++--- 1 file changed, 15 insertions(+), 23 deletions(-) diff --git a/kedpm/frontends/cli.py b/kedpm/frontends/cli.py index db1c27d..1f9df46 100644 --- a/kedpm/frontends/cli.py +++ b/kedpm/frontends/cli.py @@ -591,29 +591,21 @@ def complete_rename(self, text, line, begidx, endidx): return self.complete_dirs(text, line, begidx, endidx) def do_passwd(self, arg): -"""Change master password for opened database - -Syntax: -password [new password] - -If new password is not provided with command, you will be promted to enter new -one. -""" - -if not arg: -# Password is not provided with command. Ask user for it -pass1 = getpass(_("New password: ")) -pass2 = getpass(_("Repeat password: ")) -if pass1 == '': -print _("Empty passwords are really insecure. You should " \ -"create one.") -return -if pass1!=pass2: -print _("Passwords don't match! Please repeat.") -return -new_pass = pass1 -else: -new_pass = arg +"""Change master password for opened database""" + +# remove possibly master password from history file +readline.remove_history_item(readline.get_current_history_length()-1) +# Password is not provided with command. Ask user for it +pass1 = getpass(_("New password: ")) +pass2 = getpass(_("Repeat password: ")) +if pass1 == '': +print _("Empty passwords are really insecure. You should " \ +"create one.") +return +if pass1!=pass2: +print _("Passwords don't match! Please repeat.") +return +new_pass = pass1 self.pdb.changePassword(new_pass) self.printMessage(_("Password changed.")) -- 2.11.0
Bug#860817: kedpm: Information leak via the command history file
Source: kedpm Version: 1.0 Severity: grave Tags: upstream security Justification: user security hole Hello, I've discovered an information leak that can give some hints about what ppl search and read in the password manager. kedpm is creating a history file in ~/.kedpm/history that is written in clear text. All of the commands that are done in the password manager are writted there. This also means that if someone uses the "password" command with the password as an argument to change the database's master password, the new password gets leaked in plaintext to that file! The issue was already reported upstream[0]. However, the upstream project seems to be unmoving since a couple of years already. [0]: https://sourceforge.net/p/kedpm/bugs/6/ I've discovered the bug in wheezy, so in 0.5.0 but the same problem applies to later releases. -- System Information: Debian Release: 9.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_CA.utf8, LC_CTYPE=en_CA.utf8 (charmap=UTF-8) (ignored: LC_ALL set to en_CA.utf8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)