Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 27 Apr 2017 10:09:13 +0200
From: Emilio Pozuelo Monfort <pochu27@...il.com>
To: oss-security@...ts.openwall.com, Antoine Beaupré
 <anarcat@...ngeseeds.org>
Subject: Re: kedpm: Information leak via the command history
 file

Hi,

On 26/04/17 22:52, Antoine Beaupré wrote:
> A vulnerability was discovered in the kedpm password manager that may
> expose the master password when changed, if passed on the commandline.
> 
> Example, good:
> 
> kedpm> passwd
> New password:
> Repeat password:
> Password changed.
> kedpm>
> 
> Example, bad:
> 
> kedpm:/> passwd bar
> Password changed
> 
> The former will show "passwd" in the ~/.kedpm/history file while the
> latter will show "passwd bar" in the history file, divulging the
> password in clear text.
> 
> Also, all password *names* that are created or consulted are saved in
> the history file, something that users may not expect (although you have
> to wonder how they thought history worked).
> 
> This is documented in the Debian bugtracker:
> 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860817
> 
> But I would like to get a CVE assigned for wider diffusion.

You need to request it at https://cveform.mitre.org/

You can follow up here with the number when you get one assigned.

Cheers,
Emilio

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ