Summary: | <x11-misc/revelation-0.4.14 : Too weak encryption / file format to be considered as a password manager (CVE-2012-3818) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Samuli Suominen (RETIRED) <ssuominen> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | marduk, tristan |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Samuli Suominen (RETIRED)
2012-06-17 13:57:55 UTC
Bumped to 0.4.14 which migrates files to a new format on save. I'll let you decide whether it's secure enough. (In reply to comment #1) > Bumped to 0.4.14 which migrates files to a new format on save. I'll let you > decide whether it's secure enough. I'll take the easy way out: http://pkgs.fedoraproject.org/gitweb/?p=revelation.git;a=commit;h=8f536dddb99d965a1a0663a6cea9cec486182d77 "Upstream pre-release which addresses weak encryption format. - This version will detect old encryption format and will prompt you to re-save in new format." So let's do the normal stabilization route for: =x11-misc/revelation-0.4.14 amd64 stable ppc done x86 stable Thanks, everyone. GLSA vote: no. CVE-2012-3818 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3818): The fpm exporter in Revelation 0.4.13-2 and earlier encrypts the version number but not the password when exporting a file, which might allow local users to obtain sensitive information. Thanks, folks. GLSA Vote: no, too. Closing noglsa. |