Summary: | <=app-admin/kedpm-0.4.0-r2: Information leak via the command history file (CVE-2017-8296) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Volkan <vBugZilla> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | mgorny, proxy-maint |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
URL: | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860817 | ||
Whiteboard: | B3 [glsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Volkan
2017-04-27 00:10:06 UTC
Patches via URL CVE has been requested as per OSS list. - http://seclists.org/oss-sec/2017/q2/139 CVE-2017-8296 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8296): kedpm 0.5 and 1.0 creates a history file in ~/.kedpm/history that is written in cleartext. All of the commands performed in the password manager are written there. This can lead to the disclosure of the master password if the "password" command is used with an argument. The names of the password entries created and consulted are also accessible in cleartext. commit 17e2376d0238104b88a33a14f35c49ef0341b88f Author: Michał Górny <mgorny@gentoo.org> AuthorDate: Mon Aug 14 09:53:29 2017 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: Mon Aug 14 10:02:52 2017 app-admin/kedpm: Remove last-rited pkg, #611574 app-admin/kedpm/Manifest | 1 - app-admin/kedpm/files/kedpm.desktop | 16 ------------ app-admin/kedpm/files/setup-doc.patch | 12 --------- app-admin/kedpm/kedpm-0.4.0-r2.ebuild | 48 ----------------------------------- app-admin/kedpm/metadata.xml | 9 ------- profiles/package.mask | 5 ---- 6 files changed, 91 deletions(-) Removal GLSA request filed. This issue was resolved and addressed in GLSA 201708-04 at https://security.gentoo.org/glsa/201708-04 by GLSA coordinator Aaron Bauman (b-man). |