oss-sec mailing list archives
Re: kedpm: Information leak via the command history file
From: Emilio Pozuelo Monfort <pochu27 () gmail com>
Date: Thu, 27 Apr 2017 10:09:13 +0200
Hi, On 26/04/17 22:52, Antoine Beaupré wrote:
A vulnerability was discovered in the kedpm password manager that may expose the master password when changed, if passed on the commandline. Example, good: kedpm> passwd New password: Repeat password: Password changed. kedpm> Example, bad: kedpm:/> passwd bar Password changed The former will show "passwd" in the ~/.kedpm/history file while the latter will show "passwd bar" in the history file, divulging the password in clear text. Also, all password *names* that are created or consulted are saved in the history file, something that users may not expect (although you have to wonder how they thought history worked). This is documented in the Debian bugtracker: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860817 But I would like to get a CVE assigned for wider diffusion.
You need to request it at https://cveform.mitre.org/ You can follow up here with the number when you get one assigned. Cheers, Emilio
Current thread:
- kedpm: Information leak via the command history file Antoine Beaupré (Apr 26)
- Re: kedpm: Information leak via the command history file Emilio Pozuelo Monfort (Apr 27)
- Re: kedpm: Information leak via the command history file Antoine Beaupré (Apr 27)
- Re: kedpm: Information leak via the command history file Emilio Pozuelo Monfort (Apr 27)