Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 616690 (CVE-2017-8296) - <=app-admin/kedpm-0.4.0-r2: Information leak via the command history file (CVE-2017-8296)
Summary: <=app-admin/kedpm-0.4.0-r2: Information leak via the command history file (CV...
Status: RESOLVED FIXED
Alias: CVE-2017-8296
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugs.debian.org/cgi-bin/bugre...
Whiteboard: B3 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-04-27 00:10 UTC by Volkan
Modified: 2017-08-21 00:09 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Volkan 2017-04-27 00:10:06 UTC
A vulnerability was discovered in the kedpm password manager that may
expose the master password when changed, if passed on the commandline.

Example, good:

kedpm> passwd
New password:
Repeat password:
Password changed.
kedpm>

Example, bad:

kedpm:/> passwd bar
Password changed

The former will show "passwd" in the ~/.kedpm/history file while the
latter will show "passwd bar" in the history file, divulging the
password in clear text.

Also, all password *names* that are created or consulted are saved in
the history file, something that users may not expect (although you have
to wonder how they thought history worked).
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2017-04-28 06:37:00 UTC
Patches via URL
CVE has been requested as per OSS list. - http://seclists.org/oss-sec/2017/q2/139
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2017-06-04 13:01:57 UTC
CVE-2017-8296 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8296):
  kedpm 0.5 and 1.0 creates a history file in ~/.kedpm/history that is written
  in cleartext. All of the commands performed in the password manager are
  written there. This can lead to the disclosure of the master password if the
  "password" command is used with an argument. The names of the password
  entries created and consulted are also accessible in cleartext.
Comment 3 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2017-08-14 08:06:52 UTC
commit 17e2376d0238104b88a33a14f35c49ef0341b88f
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: Mon Aug 14 09:53:29 2017
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: Mon Aug 14 10:02:52 2017

    app-admin/kedpm: Remove last-rited pkg, #611574

 app-admin/kedpm/Manifest              |  1 -
 app-admin/kedpm/files/kedpm.desktop   | 16 ------------
 app-admin/kedpm/files/setup-doc.patch | 12 ---------
 app-admin/kedpm/kedpm-0.4.0-r2.ebuild | 48 -----------------------------------
 app-admin/kedpm/metadata.xml          |  9 -------
 profiles/package.mask                 |  5 ----
 6 files changed, 91 deletions(-)
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-08-14 23:25:49 UTC
Removal GLSA request filed.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2017-08-21 00:09:29 UTC
This issue was resolved and addressed in
 GLSA 201708-04 at https://security.gentoo.org/glsa/201708-04
by GLSA coordinator Aaron Bauman (b-man).