A vulnerability was discovered in the kedpm password manager that may expose the master password when changed, if passed on the commandline. Example, good: kedpm> passwd New password: Repeat password: Password changed. kedpm> Example, bad: kedpm:/> passwd bar Password changed The former will show "passwd" in the ~/.kedpm/history file while the latter will show "passwd bar" in the history file, divulging the password in clear text. Also, all password *names* that are created or consulted are saved in the history file, something that users may not expect (although you have to wonder how they thought history worked).
Patches via URL CVE has been requested as per OSS list. - http://seclists.org/oss-sec/2017/q2/139
CVE-2017-8296 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8296): kedpm 0.5 and 1.0 creates a history file in ~/.kedpm/history that is written in cleartext. All of the commands performed in the password manager are written there. This can lead to the disclosure of the master password if the "password" command is used with an argument. The names of the password entries created and consulted are also accessible in cleartext.
commit 17e2376d0238104b88a33a14f35c49ef0341b88f Author: Michał Górny <mgorny@gentoo.org> AuthorDate: Mon Aug 14 09:53:29 2017 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: Mon Aug 14 10:02:52 2017 app-admin/kedpm: Remove last-rited pkg, #611574 app-admin/kedpm/Manifest | 1 - app-admin/kedpm/files/kedpm.desktop | 16 ------------ app-admin/kedpm/files/setup-doc.patch | 12 --------- app-admin/kedpm/kedpm-0.4.0-r2.ebuild | 48 ----------------------------------- app-admin/kedpm/metadata.xml | 9 ------- profiles/package.mask | 5 ---- 6 files changed, 91 deletions(-)
Removal GLSA request filed.
This issue was resolved and addressed in GLSA 201708-04 at https://security.gentoo.org/glsa/201708-04 by GLSA coordinator Aaron Bauman (b-man).
