Your message dated Sat, 09 Dec 2017 10:47:53 +0000
with message-id <[email protected]>
and subject line Closing bugs for updates included in jessie point release
has caused the Debian Bug report #861541,
regarding jessie-pu: package kedpm/1.0
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
861541: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861541
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: [email protected]
Usertags: pu
A security issue came up in kedpm as shipped in stable (CVE-2017-8296,
#860817). It was marked "no-dsa" by the security team, to be fixed in
the next point release.
This is therefore my attempt at shipping that update. Unfortunately, I
will be offline very soon, for all of may, so it is unlikely that I
will be able to perform the upload myself, but hopefully someone can
take this and run if I don't respond in time to your permission. :)
Attached is the debdiff, I hope that covers it all...
A.
-- System Information:
Debian Release: 9.0
APT prefers testing
APT policy: (500, 'testing'), (1, 'unstable')
Architecture: amd64
(x86_64)
Foreign Architectures: armhf
Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru kedpm-1.0/debian/changelog kedpm-1.0+deb8u1/debian/changelog
--- kedpm-1.0/debian/changelog 2012-11-30 15:45:14.000000000 -0500
+++ kedpm-1.0+deb8u1/debian/changelog 2017-04-26 20:44:11.000000000 -0400
@@ -1,3 +1,10 @@
+kedpm (1.0+deb8u1) jessie; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * fix information leak via command history file (Closes: #860817)
+
+ -- Antoine Beaupré <[email protected]> Wed, 26 Apr 2017 20:44:11 -0400
+
kedpm (1.0) unstable; urgency=low
* New upstream release.
diff -Nru
kedpm-1.0/debian/patches/0001-always-prompt-for-password-and-do-not-save-to-databa.patch
kedpm-1.0+deb8u1/debian/patches/0001-always-prompt-for-password-and-do-not-save-to-databa.patch
---
kedpm-1.0/debian/patches/0001-always-prompt-for-password-and-do-not-save-to-databa.patch
1969-12-31 19:00:00.000000000 -0500
+++
kedpm-1.0+deb8u1/debian/patches/0001-always-prompt-for-password-and-do-not-save-to-databa.patch
2017-04-26 20:43:55.000000000 -0400
@@ -0,0 +1,61 @@
+From b8f7e8b3b2cb37425cb89b205c9836c6ac02a048 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <[email protected]>
+Date: Wed, 26 Apr 2017 16:58:56 -0400
+Subject: [PATCH 1/2] always prompt for password and do not save to database
+
+---
+ kedpm/frontends/cli.py | 38 +++++++++++++++-----------------------
+ 1 file changed, 15 insertions(+), 23 deletions(-)
+
+diff --git a/kedpm/frontends/cli.py b/kedpm/frontends/cli.py
+index c343138..27cfb70 100644
+--- a/kedpm/frontends/cli.py
++++ b/kedpm/frontends/cli.py
+@@ -591,29 +591,21 @@ def complete_rename(self, text, line, begidx, endidx):
+ return self.complete_dirs(text, line, begidx, endidx)
+
+ def do_passwd(self, arg):
+- """Change master password for opened database
+-
+-Syntax:
+- password [new password]
+-
+-If new password is not provided with command, you will be promted to enter new
+-one.
+-"""
+-
+- if not arg:
+- # Password is not provided with command. Ask user for it
+- pass1 = getpass(_("New password: "))
+- pass2 = getpass(_("Repeat password: "))
+- if pass1 == '':
+- print _("Empty passwords are really insecure. You should " \
+- "create one.")
+- return
+- if pass1!=pass2:
+- print _("Passwords don't match! Please repeat.")
+- return
+- new_pass = pass1
+- else:
+- new_pass = arg
++ """Change master password for opened database"""
++
++ # remove possibly master password from history file
++ readline.remove_history_item(readline.get_current_history_length()-1)
++ # Password is not provided with command. Ask user for it
++ pass1 = getpass(_("New password: "))
++ pass2 = getpass(_("Repeat password: "))
++ if pass1 == '':
++ print _("Empty passwords are really insecure. You should " \
++ "create one.")
++ return
++ if pass1!=pass2:
++ print _("Passwords don't match! Please repeat.")
++ return
++ new_pass = pass1
+
+ self.pdb.changePassword(new_pass)
+ self.printMessage(_("Password changed."))
+--
+2.11.0
+
diff -Nru kedpm-1.0/debian/patches/series kedpm-1.0+deb8u1/debian/patches/series
--- kedpm-1.0/debian/patches/series 1969-12-31 19:00:00.000000000 -0500
+++ kedpm-1.0+deb8u1/debian/patches/series 2017-04-26 20:43:55.000000000
-0400
@@ -0,0 +1 @@
+0001-always-prompt-for-password-and-do-not-save-to-databa.patch
--- End Message ---
--- Begin Message ---
Version: 8.10
Hi,
Each of the updates referenced in these bugs was included in this
morning's jessie point release. Thanks!
Regards,
Adam
--- End Message ---
