--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jessie-pu: package kedpm/1.0
- From: Antoine Beaupre <anarcat@debian.org>
- Date: Sun, 30 Apr 2017 10:43:48 -0400
- Message-id: <149356342864.15337.14828882087944622142.reportbug@curie.anarc.at>
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
A security issue came up in kedpm as shipped in stable (CVE-2017-8296,
#860817). It was marked "no-dsa" by the security team, to be fixed in
the next point release.
This is therefore my attempt at shipping that update. Unfortunately, I
will be offline very soon, for all of may, so it is unlikely that I
will be able to perform the upload myself, but hopefully someone can
take this and run if I don't respond in time to your permission. :)
Attached is the debdiff, I hope that covers it all...
A.
-- System Information:
Debian Release: 9.0
APT prefers testing
APT policy: (500, 'testing'), (1, 'unstable')
Architecture: amd64
(x86_64)
Foreign Architectures: armhf
Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru kedpm-1.0/debian/changelog kedpm-1.0+deb8u1/debian/changelog
--- kedpm-1.0/debian/changelog 2012-11-30 15:45:14.000000000 -0500
+++ kedpm-1.0+deb8u1/debian/changelog 2017-04-26 20:44:11.000000000 -0400
@@ -1,3 +1,10 @@
+kedpm (1.0+deb8u1) jessie; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * fix information leak via command history file (Closes: #860817)
+
+ -- Antoine Beaupré <anarcat@debian.org> Wed, 26 Apr 2017 20:44:11 -0400
+
kedpm (1.0) unstable; urgency=low
* New upstream release.
diff -Nru kedpm-1.0/debian/patches/0001-always-prompt-for-password-and-do-not-save-to-databa.patch kedpm-1.0+deb8u1/debian/patches/0001-always-prompt-for-password-and-do-not-save-to-databa.patch
--- kedpm-1.0/debian/patches/0001-always-prompt-for-password-and-do-not-save-to-databa.patch 1969-12-31 19:00:00.000000000 -0500
+++ kedpm-1.0+deb8u1/debian/patches/0001-always-prompt-for-password-and-do-not-save-to-databa.patch 2017-04-26 20:43:55.000000000 -0400
@@ -0,0 +1,61 @@
+From b8f7e8b3b2cb37425cb89b205c9836c6ac02a048 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anarcat@debian.org>
+Date: Wed, 26 Apr 2017 16:58:56 -0400
+Subject: [PATCH 1/2] always prompt for password and do not save to database
+
+---
+ kedpm/frontends/cli.py | 38 +++++++++++++++-----------------------
+ 1 file changed, 15 insertions(+), 23 deletions(-)
+
+diff --git a/kedpm/frontends/cli.py b/kedpm/frontends/cli.py
+index c343138..27cfb70 100644
+--- a/kedpm/frontends/cli.py
++++ b/kedpm/frontends/cli.py
+@@ -591,29 +591,21 @@ def complete_rename(self, text, line, begidx, endidx):
+ return self.complete_dirs(text, line, begidx, endidx)
+
+ def do_passwd(self, arg):
+- """Change master password for opened database
+-
+-Syntax:
+- password [new password]
+-
+-If new password is not provided with command, you will be promted to enter new
+-one.
+-"""
+-
+- if not arg:
+- # Password is not provided with command. Ask user for it
+- pass1 = getpass(_("New password: "))
+- pass2 = getpass(_("Repeat password: "))
+- if pass1 == '':
+- print _("Empty passwords are really insecure. You should " \
+- "create one.")
+- return
+- if pass1!=pass2:
+- print _("Passwords don't match! Please repeat.")
+- return
+- new_pass = pass1
+- else:
+- new_pass = arg
++ """Change master password for opened database"""
++
++ # remove possibly master password from history file
++ readline.remove_history_item(readline.get_current_history_length()-1)
++ # Password is not provided with command. Ask user for it
++ pass1 = getpass(_("New password: "))
++ pass2 = getpass(_("Repeat password: "))
++ if pass1 == '':
++ print _("Empty passwords are really insecure. You should " \
++ "create one.")
++ return
++ if pass1!=pass2:
++ print _("Passwords don't match! Please repeat.")
++ return
++ new_pass = pass1
+
+ self.pdb.changePassword(new_pass)
+ self.printMessage(_("Password changed."))
+--
+2.11.0
+
diff -Nru kedpm-1.0/debian/patches/series kedpm-1.0+deb8u1/debian/patches/series
--- kedpm-1.0/debian/patches/series 1969-12-31 19:00:00.000000000 -0500
+++ kedpm-1.0+deb8u1/debian/patches/series 2017-04-26 20:43:55.000000000 -0400
@@ -0,0 +1 @@
+0001-always-prompt-for-password-and-do-not-save-to-databa.patch
--- End Message ---