A vulnerability was discovered in the kedpm password manager that may
expose the master password when changed, if passed on the commandline.
kedpm:/> passwd bar
The former will show "passwd" in the ~/.kedpm/history file while the
latter will show "passwd bar" in the history file, divulging the
password in clear text.
Also, all password *names* that are created or consulted are saved in
the history file, something that users may not expect (although you have
to wonder how they thought history worked).
Patches via URL
CVE has been requested as per OSS list. - http://seclists.org/oss-sec/2017/q2/139
kedpm 0.5 and 1.0 creates a history file in ~/.kedpm/history that is written
in cleartext. All of the commands performed in the password manager are
written there. This can lead to the disclosure of the master password if the
"password" command is used with an argument. The names of the password
entries created and consulted are also accessible in cleartext.
Author: Michał Górny <firstname.lastname@example.org>
AuthorDate: Mon Aug 14 09:53:29 2017
Commit: Michał Górny <email@example.com>
CommitDate: Mon Aug 14 10:02:52 2017
app-admin/kedpm: Remove last-rited pkg, #611574
app-admin/kedpm/Manifest | 1 -
app-admin/kedpm/files/kedpm.desktop | 16 ------------
app-admin/kedpm/files/setup-doc.patch | 12 ---------
app-admin/kedpm/kedpm-0.4.0-r2.ebuild | 48 -----------------------------------
app-admin/kedpm/metadata.xml | 9 -------
profiles/package.mask | 5 ----
6 files changed, 91 deletions(-)
Removal GLSA request filed.
This issue was resolved and addressed in
GLSA 201708-04 at https://security.gentoo.org/glsa/201708-04
by GLSA coordinator Aaron Bauman (b-man).