Date: Wed, 26 Apr 2017 16:52:14 -0400 From: anarcat@...ngeseeds.org (Antoine Beaupré) To: oss-security@...ts.openwall.com Subject: kedpm: Information leak via the command history file A vulnerability was discovered in the kedpm password manager that may expose the master password when changed, if passed on the commandline. Example, good: kedpm> passwd New password: Repeat password: Password changed. kedpm> Example, bad: kedpm:/> passwd bar Password changed The former will show "passwd" in the ~/.kedpm/history file while the latter will show "passwd bar" in the history file, divulging the password in clear text. Also, all password *names* that are created or consulted are saved in the history file, something that users may not expect (although you have to wonder how they thought history worked). This is documented in the Debian bugtracker: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860817 But I would like to get a CVE assigned for wider diffusion. Note that I seem to be the sole kedpm maintainer left and I consider the software abandoned. I will backport patches to fix this in the Debian bugtracker, but I have filed a request for the software to be removed from Debian and all users should switch away. Thanks, a. Download attachment "signature.asc" of type "application/pgp-signature" (833 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.