Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 27 Apr 2017 10:09:13 +0200
From: Emilio Pozuelo Monfort <>
To:, Antoine Beaupré
Subject: Re: kedpm: Information leak via the command history


On 26/04/17 22:52, Antoine Beaupré wrote:
> A vulnerability was discovered in the kedpm password manager that may
> expose the master password when changed, if passed on the commandline.
> Example, good:
> kedpm> passwd
> New password:
> Repeat password:
> Password changed.
> kedpm>
> Example, bad:
> kedpm:/> passwd bar
> Password changed
> The former will show "passwd" in the ~/.kedpm/history file while the
> latter will show "passwd bar" in the history file, divulging the
> password in clear text.
> Also, all password *names* that are created or consulted are saved in
> the history file, something that users may not expect (although you have
> to wonder how they thought history worked).
> This is documented in the Debian bugtracker:
> But I would like to get a CVE assigned for wider diffusion.

You need to request it at

You can follow up here with the number when you get one assigned.


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ