Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 421571 (CVE-2012-3818) - <x11-misc/revelation-0.4.14 : Too weak encryption / file format to be considered as a password manager (CVE-2012-3818)
Summary: <x11-misc/revelation-0.4.14 : Too weak encryption / file format to be conside...
Alias: CVE-2012-3818
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa]
Depends on:
Reported: 2012-06-17 13:57 UTC by Samuli Suominen (RETIRED)
Modified: 2012-08-11 18:05 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Samuli Suominen (RETIRED) gentoo-dev 2012-06-17 13:57:55 UTC
I'm not sure what to do with this. Maybe it's not good idea to ship it if it can't do it's primary function properly?
Comment 1 Tristan Heaven (RETIRED) gentoo-dev 2012-07-03 00:52:15 UTC
Bumped to 0.4.14 which migrates files to a new format on save. I'll let you decide whether it's secure enough.
Comment 2 Samuli Suominen (RETIRED) gentoo-dev 2012-07-03 07:57:30 UTC
(In reply to comment #1)
> Bumped to 0.4.14 which migrates files to a new format on save. I'll let you
> decide whether it's secure enough.

I'll take the easy way out:;a=commit;h=8f536dddb99d965a1a0663a6cea9cec486182d77

"Upstream pre-release which addresses weak encryption format.

- This version will detect old encryption format and will prompt you to
  re-save in new format."

So let's do the normal stabilization route for:

Comment 3 Agostino Sarubbo gentoo-dev 2012-07-03 11:13:46 UTC
amd64 stable
Comment 4 Brent Baude (RETIRED) gentoo-dev 2012-07-03 17:24:56 UTC
ppc done
Comment 5 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-07-03 23:29:43 UTC
x86 stable
Comment 6 Sean Amoss (RETIRED) gentoo-dev Security 2012-07-11 21:48:08 UTC
Thanks, everyone.

GLSA vote: no.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2012-07-11 21:48:29 UTC
CVE-2012-3818 (
  The fpm exporter in Revelation 0.4.13-2 and earlier encrypts the version
  number but not the password when exporting a file, which might allow local
  users to obtain sensitive information.
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2012-08-11 18:05:54 UTC
Thanks, folks. GLSA Vote: no, too. Closing noglsa.