Date: Thu, 27 Apr 2017 10:09:13 +0200 From: Emilio Pozuelo Monfort <pochu27@...il.com> To: oss-security@...ts.openwall.com, Antoine Beaupré <anarcat@...ngeseeds.org> Subject: Re: kedpm: Information leak via the command history file Hi, On 26/04/17 22:52, Antoine Beaupré wrote: > A vulnerability was discovered in the kedpm password manager that may > expose the master password when changed, if passed on the commandline. > > Example, good: > > kedpm> passwd > New password: > Repeat password: > Password changed. > kedpm> > > Example, bad: > > kedpm:/> passwd bar > Password changed > > The former will show "passwd" in the ~/.kedpm/history file while the > latter will show "passwd bar" in the history file, divulging the > password in clear text. > > Also, all password *names* that are created or consulted are saved in > the history file, something that users may not expect (although you have > to wonder how they thought history worked). > > This is documented in the Debian bugtracker: > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860817 > > But I would like to get a CVE assigned for wider diffusion. You need to request it at https://cveform.mitre.org/ You can follow up here with the number when you get one assigned. Cheers, Emilio
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ