oss-sec mailing list archives
kedpm: Information leak via the command history file
From: anarcat () orangeseeds org (Antoine Beaupré)
Date: Wed, 26 Apr 2017 16:52:14 -0400
A vulnerability was discovered in the kedpm password manager that may expose the master password when changed, if passed on the commandline. Example, good: kedpm> passwd New password: Repeat password: Password changed. kedpm> Example, bad: kedpm:/> passwd bar Password changed The former will show "passwd" in the ~/.kedpm/history file while the latter will show "passwd bar" in the history file, divulging the password in clear text. Also, all password *names* that are created or consulted are saved in the history file, something that users may not expect (although you have to wonder how they thought history worked). This is documented in the Debian bugtracker: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860817 But I would like to get a CVE assigned for wider diffusion. Note that I seem to be the sole kedpm maintainer left and I consider the software abandoned. I will backport patches to fix this in the Debian bugtracker, but I have filed a request for the software to be removed from Debian and all users should switch away. Thanks, a.
Attachment:
signature.asc
Description:
Current thread:
- kedpm: Information leak via the command history file Antoine Beaupré (Apr 26)
- Re: kedpm: Information leak via the command history file Emilio Pozuelo Monfort (Apr 27)
- Re: kedpm: Information leak via the command history file Antoine Beaupré (Apr 27)
- Re: kedpm: Information leak via the command history file Emilio Pozuelo Monfort (Apr 27)