Bug#861541: jessie-pu: package kedpm/1.0

To: Antoine Beaupre <anarcat@debian.org>, 861541@bugs.debian.org
Subject: Bug#861541: jessie-pu: package kedpm/1.0
From: Cyril Brulebois <kibi@debian.org>
Date: Tue, 27 Jun 2017 22:39:23 +0200
Message-id: <[🔎] 20170627203923.GA16740@mraw.org>
Reply-to: Cyril Brulebois <kibi@debian.org>, 861541@bugs.debian.org
In-reply-to: <149356342864.15337.14828882087944622142.reportbug@curie.anarc.at>
References: <149356342864.15337.14828882087944622142.reportbug@curie.anarc.at>

Control: tag -1 confirmed

Antoine Beaupre <anarcat@debian.org> (2017-04-30):
> diff -Nru kedpm-1.0/debian/changelog kedpm-1.0+deb8u1/debian/changelog
> --- kedpm-1.0/debian/changelog	2012-11-30 15:45:14.000000000 -0500
> +++ kedpm-1.0+deb8u1/debian/changelog	2017-04-26 20:44:11.000000000 -0400
> @@ -1,3 +1,10 @@
> +kedpm (1.0+deb8u1) jessie; urgency=high
> +
> +  * Non-maintainer upload by the Security Team.
> +  * fix information leak via command history file (Closes: #860817)
> +
> + -- Antoine Beaupré <anarcat@debian.org>  Wed, 26 Apr 2017 20:44:11 -0400
> +
>  kedpm (1.0) unstable; urgency=low
>  
>    * New upstream release.
> diff -Nru kedpm-1.0/debian/patches/0001-always-prompt-for-password-and-do-not-save-to-databa.patch kedpm-1.0+deb8u1/debian/patches/0001-always-prompt-for-password-and-do-not-save-to-databa.patch
> --- kedpm-1.0/debian/patches/0001-always-prompt-for-password-and-do-not-save-to-databa.patch	1969-12-31 19:00:00.000000000 -0500
> +++ kedpm-1.0+deb8u1/debian/patches/0001-always-prompt-for-password-and-do-not-save-to-databa.patch	2017-04-26 20:43:55.000000000 -0400
> @@ -0,0 +1,61 @@
> +From b8f7e8b3b2cb37425cb89b205c9836c6ac02a048 Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anarcat@debian.org>
> +Date: Wed, 26 Apr 2017 16:58:56 -0400
> +Subject: [PATCH 1/2] always prompt for password and do not save to database

The 1/2 part seems a bit weird here; was the second patch relevant for
this security fix?

> +-        """Change master password for opened database
> +-        
> +-Syntax:
> +-    password [new password]
> +-
> +-If new password is not provided with command, you will be promted to enter new
> +-one.
> +-"""
> +-
> +-        if not arg:
> +-            # Password is not provided with command. Ask user for it
> +-            pass1 = getpass(_("New password: "))
> +-            pass2 = getpass(_("Repeat password: "))
> +-            if pass1 == '':
> +-                print _("Empty passwords are really insecure. You should " \
> +-                        "create one.")
> +-                return
> +-            if pass1!=pass2:
> +-                print _("Passwords don't match! Please repeat.")
> +-                return
> +-            new_pass = pass1
> +-        else:
> +-            new_pass = arg
> ++        """Change master password for opened database"""
> ++
> ++        # remove possibly master password from history file
> ++        readline.remove_history_item(readline.get_current_history_length()-1)

I'm assuming the history was already updated to include the last/current
command?

> ++        # Password is not provided with command. Ask user for it

I suppose this became a bit of a lie. :) Feel free to replace it with
“Always ask the user for the password”, or remove it entirely.

With or without the comment fix, feel free to upload.


KiBi.

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Bug#861541: jessie-pu: package kedpm/1.0
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Processed: Re: Bug#861541: jessie-pu: package kedpm/1.0
Next by Date: NEW changes in stable-new
Previous by thread: Processed: Re: Bug#861280: ***SPAM*** Re: Bug#861280: jessie-pu: package caja/1.8.2-3+deb8u2
Next by thread: Processed: Re: Bug#861541: jessie-pu: package kedpm/1.0
Index(es):
- Date
- Thread