Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 27 Apr 2017 08:43:46 -0400
From: Antoine Beaupré <anarcat@...ngeseeds.org>
To: Emilio Pozuelo Monfort <pochu27@...il.com>, oss-security@...ts.openwall.com
Subject: Re: kedpm: Information leak via the command history file

On 2017-04-27 10:09:13, Emilio Pozuelo Monfort wrote:
> Hi,
>
> On 26/04/17 22:52, Antoine Beaupré wrote:
>> A vulnerability was discovered in the kedpm password manager that may
>> expose the master password when changed, if passed on the commandline.
>> 
>> Example, good:
>> 
>> kedpm> passwd
>> New password:
>> Repeat password:
>> Password changed.
>> kedpm>
>> 
>> Example, bad:
>> 
>> kedpm:/> passwd bar
>> Password changed
>> 
>> The former will show "passwd" in the ~/.kedpm/history file while the
>> latter will show "passwd bar" in the history file, divulging the
>> password in clear text.
>> 
>> Also, all password *names* that are created or consulted are saved in
>> the history file, something that users may not expect (although you have
>> to wonder how they thought history worked).
>> 
>> This is documented in the Debian bugtracker:
>> 
>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860817
>> 
>> But I would like to get a CVE assigned for wider diffusion.
>
> You need to request it at https://cveform.mitre.org/
>
> You can follow up here with the number when you get one assigned.

I have requested a CVE.

-- 
The history of any one part of the earth, like the life of a soldier,
consists of long periods of boredom and short periods of terror.
                       - British geologist Derek V. Ager

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ