Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 27 Apr 2017 08:43:46 -0400
From: Antoine Beaupré <>
To: Emilio Pozuelo Monfort <>,
Subject: Re: kedpm: Information leak via the command history file

On 2017-04-27 10:09:13, Emilio Pozuelo Monfort wrote:
> Hi,
> On 26/04/17 22:52, Antoine Beaupré wrote:
>> A vulnerability was discovered in the kedpm password manager that may
>> expose the master password when changed, if passed on the commandline.
>> Example, good:
>> kedpm> passwd
>> New password:
>> Repeat password:
>> Password changed.
>> kedpm>
>> Example, bad:
>> kedpm:/> passwd bar
>> Password changed
>> The former will show "passwd" in the ~/.kedpm/history file while the
>> latter will show "passwd bar" in the history file, divulging the
>> password in clear text.
>> Also, all password *names* that are created or consulted are saved in
>> the history file, something that users may not expect (although you have
>> to wonder how they thought history worked).
>> This is documented in the Debian bugtracker:
>> But I would like to get a CVE assigned for wider diffusion.
> You need to request it at
> You can follow up here with the number when you get one assigned.

I have requested a CVE.

The history of any one part of the earth, like the life of a soldier,
consists of long periods of boredom and short periods of terror.
                       - British geologist Derek V. Ager

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ