[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#861541: marked as done (jessie-pu: package kedpm/1.0)

Your message dated Sat, 09 Dec 2017 10:47:53 +0000
with message-id <1512816473.1994.32.camel@adam-barratt.org.uk>
and subject line Closing bugs for updates included in jessie point release
has caused the Debian Bug report #861541,
regarding jessie-pu: package kedpm/1.0
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
861541: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861541
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

A security issue came up in kedpm as shipped in stable (CVE-2017-8296,
#860817). It was marked "no-dsa" by the security team, to be fixed in
the next point release.

This is therefore my attempt at shipping that update. Unfortunately, I
will be offline very soon, for all of may, so it is unlikely that I
will be able to perform the upload myself, but hopefully someone can
take this and run if I don't respond in time to your permission. :)

Attached is the debdiff, I hope that covers it all...

A.

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (500, 'testing'), (1, 'unstable')
Architecture: amd64
 (x86_64)
Foreign Architectures: armhf

Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru kedpm-1.0/debian/changelog kedpm-1.0+deb8u1/debian/changelog
--- kedpm-1.0/debian/changelog	2012-11-30 15:45:14.000000000 -0500
+++ kedpm-1.0+deb8u1/debian/changelog	2017-04-26 20:44:11.000000000 -0400
@@ -1,3 +1,10 @@
+kedpm (1.0+deb8u1) jessie; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * fix information leak via command history file (Closes: #860817)
+
+ -- Antoine Beaupré <anarcat@debian.org>  Wed, 26 Apr 2017 20:44:11 -0400
+
 kedpm (1.0) unstable; urgency=low
 
   * New upstream release.
diff -Nru kedpm-1.0/debian/patches/0001-always-prompt-for-password-and-do-not-save-to-databa.patch kedpm-1.0+deb8u1/debian/patches/0001-always-prompt-for-password-and-do-not-save-to-databa.patch
--- kedpm-1.0/debian/patches/0001-always-prompt-for-password-and-do-not-save-to-databa.patch	1969-12-31 19:00:00.000000000 -0500
+++ kedpm-1.0+deb8u1/debian/patches/0001-always-prompt-for-password-and-do-not-save-to-databa.patch	2017-04-26 20:43:55.000000000 -0400
@@ -0,0 +1,61 @@
+From b8f7e8b3b2cb37425cb89b205c9836c6ac02a048 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anarcat@debian.org>
+Date: Wed, 26 Apr 2017 16:58:56 -0400
+Subject: [PATCH 1/2] always prompt for password and do not save to database
+
+---
+ kedpm/frontends/cli.py | 38 +++++++++++++++-----------------------
+ 1 file changed, 15 insertions(+), 23 deletions(-)
+
+diff --git a/kedpm/frontends/cli.py b/kedpm/frontends/cli.py
+index c343138..27cfb70 100644
+--- a/kedpm/frontends/cli.py
++++ b/kedpm/frontends/cli.py
+@@ -591,29 +591,21 @@ def complete_rename(self, text, line, begidx, endidx):
+         return self.complete_dirs(text, line, begidx, endidx)
+ 
+     def do_passwd(self, arg):
+-        """Change master password for opened database
+-        
+-Syntax:
+-    password [new password]
+-
+-If new password is not provided with command, you will be promted to enter new
+-one.
+-"""
+-
+-        if not arg:
+-            # Password is not provided with command. Ask user for it
+-            pass1 = getpass(_("New password: "))
+-            pass2 = getpass(_("Repeat password: "))
+-            if pass1 == '':
+-                print _("Empty passwords are really insecure. You should " \
+-                        "create one.")
+-                return
+-            if pass1!=pass2:
+-                print _("Passwords don't match! Please repeat.")
+-                return
+-            new_pass = pass1
+-        else:
+-            new_pass = arg
++        """Change master password for opened database"""
++
++        # remove possibly master password from history file
++        readline.remove_history_item(readline.get_current_history_length()-1)
++        # Password is not provided with command. Ask user for it
++        pass1 = getpass(_("New password: "))
++        pass2 = getpass(_("Repeat password: "))
++        if pass1 == '':
++            print _("Empty passwords are really insecure. You should " \
++                    "create one.")
++            return
++        if pass1!=pass2:
++            print _("Passwords don't match! Please repeat.")
++            return
++        new_pass = pass1
+ 
+         self.pdb.changePassword(new_pass)
+         self.printMessage(_("Password changed."))
+-- 
+2.11.0
+
diff -Nru kedpm-1.0/debian/patches/series kedpm-1.0+deb8u1/debian/patches/series
--- kedpm-1.0/debian/patches/series	1969-12-31 19:00:00.000000000 -0500
+++ kedpm-1.0+deb8u1/debian/patches/series	2017-04-26 20:43:55.000000000 -0400
@@ -0,0 +1 @@
+0001-always-prompt-for-password-and-do-not-save-to-databa.patch

--- End Message ---
--- Begin Message --- 
Version: 8.10

Hi,

Each of the updates referenced in these bugs was included in this
morning's jessie point release. Thanks!

Regards,

Adam

--- End Message ---
Reply to: