Bug#860817: kedpm: Information leak via the command history file

2017-04-27 Thread Salvatore Bonaccorso 
Control: retitle -1 kedpm: CVE-2017-8296: Information leak via the command 
history file

CVE-2017-8296 has been assigned for this vulnerability.

Regards,
Salvatore

Bug#860817: kedpm: Information leak via the command history file

2017-04-27 Thread Antoine Beaupré 
On 2017-04-27 06:24:25, Salvatore Bonaccorso wrote:
> Hi,
>
> On Wed, Apr 26, 2017 at 05:01:30PM -0400, Antoine Beaupr?? wrote:
>> Control: tags -1 +patch
>> 
>> I have requested a CVE on the oss-security mailing list.
>
> Please note that requests are done now via 
>
> https://cveform.mitre.org/
>
> Can you please fill a request via that channel?

Done.

-- 
We must shift America from a needs- to a desires-culture. People must
be trained to desire, to want new things, even before the old have
been entirely consumed. Man's desires must overshadow his needs.
 - Paul Mazur, Lehman Brothers

Bug#860817: kedpm: Information leak via the command history file

2017-04-26 Thread Salvatore Bonaccorso 
Hi,

On Wed, Apr 26, 2017 at 05:01:30PM -0400, Antoine Beaupr?? wrote:
> Control: tags -1 +patch
> 
> I have requested a CVE on the oss-security mailing list.

Please note that requests are done now via 

https://cveform.mitre.org/

Can you please fill a request via that channel?

Regards,
Salvatore

Bug#860817: kedpm: Information leak via the command history file

2017-04-26 Thread Antoine Beaupré 
Control: tags -1 +patch

I have requested a CVE on the oss-security mailing list.

In the meantime, there's this patch that should apply to jessie and can
probably be backported to wheezy as well.

It simply removes the "passwd" entries from the history before it is
written to disk. It will not hide other password names that are created
or fetched from the database, but I consider that a minor issue that
doesn't warrant a full rearchitecture.

I have also requested complete removal of kedpm from sid/stretch, as it
is unmaintained, see #861277.

A.

-- 
Brief is this existence, as a fleeting visit in a strange house.
The path to be pursued is poorly lit by a flickering consciousness.
   - Albert Einstein
>From 247287a9fbe05db9279771e67dae8082bc3bdba2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= 
Date: Wed, 26 Apr 2017 16:58:56 -0400
Subject: [PATCH] always prompt for password and do not save to database

---
 kedpm/frontends/cli.py | 38 +++---
 1 file changed, 15 insertions(+), 23 deletions(-)

diff --git a/kedpm/frontends/cli.py b/kedpm/frontends/cli.py
index db1c27d..1f9df46 100644
--- a/kedpm/frontends/cli.py
+++ b/kedpm/frontends/cli.py
@@ -591,29 +591,21 @@ def complete_rename(self, text, line, begidx, endidx):
 return self.complete_dirs(text, line, begidx, endidx)
 
 def do_passwd(self, arg):
-"""Change master password for opened database
-
-Syntax:
-password [new password]
-
-If new password is not provided with command, you will be promted to enter new
-one.
-"""
-
-if not arg:
-# Password is not provided with command. Ask user for it
-pass1 = getpass(_("New password: "))
-pass2 = getpass(_("Repeat password: "))
-if pass1 == '':
-print _("Empty passwords are really insecure. You should " \
-"create one.")
-return
-if pass1!=pass2:
-print _("Passwords don't match! Please repeat.")
-return
-new_pass = pass1
-else:
-new_pass = arg
+"""Change master password for opened database"""
+
+# remove possibly master password from history file
+readline.remove_history_item(readline.get_current_history_length()-1)
+# Password is not provided with command. Ask user for it
+pass1 = getpass(_("New password: "))
+pass2 = getpass(_("Repeat password: "))
+if pass1 == '':
+print _("Empty passwords are really insecure. You should " \
+"create one.")
+return
+if pass1!=pass2:
+print _("Passwords don't match! Please repeat.")
+return
+new_pass = pass1
 
 self.pdb.changePassword(new_pass)
 self.printMessage(_("Password changed."))
-- 
2.11.0

Bug#860817: kedpm: Information leak via the command history file

2017-04-20 Thread Gabriel Filion 
Source: kedpm
Version: 1.0
Severity: grave
Tags: upstream security
Justification: user security hole

Hello,

I've discovered an information leak that can give some hints about what ppl
search and read in the password manager.

kedpm is creating a history file in ~/.kedpm/history that is written in clear
text. All of the commands that are done in the password manager are writted
there.

This also means that if someone uses the "password" command with the password
as an argument to change the database's master password, the new password gets
leaked in plaintext to that file!

The issue was already reported upstream[0]. However, the upstream project seems
to be unmoving since a couple of years already.

[0]: https://sourceforge.net/p/kedpm/bugs/6/

I've discovered the bug in wheezy, so in 0.5.0 but the same problem applies to
later releases.

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_CA.utf8, LC_CTYPE=en_CA.utf8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_CA.utf8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)