Date: Thu, 27 Apr 2017 08:43:46 -0400 From: Antoine Beaupré <anarcat@...ngeseeds.org> To: Emilio Pozuelo Monfort <pochu27@...il.com>, oss-security@...ts.openwall.com Subject: Re: kedpm: Information leak via the command history file On 2017-04-27 10:09:13, Emilio Pozuelo Monfort wrote: > Hi, > > On 26/04/17 22:52, Antoine Beaupré wrote: >> A vulnerability was discovered in the kedpm password manager that may >> expose the master password when changed, if passed on the commandline. >> >> Example, good: >> >> kedpm> passwd >> New password: >> Repeat password: >> Password changed. >> kedpm> >> >> Example, bad: >> >> kedpm:/> passwd bar >> Password changed >> >> The former will show "passwd" in the ~/.kedpm/history file while the >> latter will show "passwd bar" in the history file, divulging the >> password in clear text. >> >> Also, all password *names* that are created or consulted are saved in >> the history file, something that users may not expect (although you have >> to wonder how they thought history worked). >> >> This is documented in the Debian bugtracker: >> >> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860817 >> >> But I would like to get a CVE assigned for wider diffusion. > > You need to request it at https://cveform.mitre.org/ > > You can follow up here with the number when you get one assigned. I have requested a CVE. -- The history of any one part of the earth, like the life of a soldier, consists of long periods of boredom and short periods of terror. - British geologist Derek V. Ager
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ