Bug#861541: jessie-pu: package kedpm/1.0

[Cyril Brulebois]

Control: tag -1 confirmed

Antoine Beaupre <anar...@debian.org> (2017-04-30):
> diff -Nru kedpm-1.0/debian/changelog kedpm-1.0+deb8u1/debian/changelog
> --- kedpm-1.0/debian/changelog        2012-11-30 15:45:14.000000000 -0500
> +++ kedpm-1.0+deb8u1/debian/changelog 2017-04-26 20:44:11.000000000 -0400
> @@ -1,3 +1,10 @@
> +kedpm (1.0+deb8u1) jessie; urgency=high
> +
> +  * Non-maintainer upload by the Security Team.
> +  * fix information leak via command history file (Closes: #860817)
> +
> + -- Antoine Beaupré <anar...@debian.org>  Wed, 26 Apr 2017 20:44:11 -0400
> +
>  kedpm (1.0) unstable; urgency=low
>  
>    * New upstream release.
> diff -Nru 
> kedpm-1.0/debian/patches/0001-always-prompt-for-password-and-do-not-save-to-databa.patch
>  
> kedpm-1.0+deb8u1/debian/patches/0001-always-prompt-for-password-and-do-not-save-to-databa.patch
> --- 
> kedpm-1.0/debian/patches/0001-always-prompt-for-password-and-do-not-save-to-databa.patch
>   1969-12-31 19:00:00.000000000 -0500
> +++ 
> kedpm-1.0+deb8u1/debian/patches/0001-always-prompt-for-password-and-do-not-save-to-databa.patch
>    2017-04-26 20:43:55.000000000 -0400
> @@ -0,0 +1,61 @@
> +From b8f7e8b3b2cb37425cb89b205c9836c6ac02a048 Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anar...@debian.org>
> +Date: Wed, 26 Apr 2017 16:58:56 -0400
> +Subject: [PATCH 1/2] always prompt for password and do not save to database

The 1/2 part seems a bit weird here; was the second patch relevant for
this security fix?

> +-        """Change master password for opened database
> +-        
> +-Syntax:
> +-    password [new password]
> +-
> +-If new password is not provided with command, you will be promted to enter 
> new
> +-one.
> +-"""
> +-
> +-        if not arg:
> +-            # Password is not provided with command. Ask user for it
> +-            pass1 = getpass(_("New password: "))
> +-            pass2 = getpass(_("Repeat password: "))
> +-            if pass1 == '':
> +-                print _("Empty passwords are really insecure. You should " \
> +-                        "create one.")
> +-                return
> +-            if pass1!=pass2:
> +-                print _("Passwords don't match! Please repeat.")
> +-                return
> +-            new_pass = pass1
> +-        else:
> +-            new_pass = arg
> ++        """Change master password for opened database"""
> ++
> ++        # remove possibly master password from history file
> ++        
> readline.remove_history_item(readline.get_current_history_length()-1)

I'm assuming the history was already updated to include the last/current
command?

> ++        # Password is not provided with command. Ask user for it

I suppose this became a bit of a lie. :) Feel free to replace it with
“Always ask the user for the password”, or remove it entirely.

With or without the comment fix, feel free to upload.


KiBi.

signature.asc
Description: Digital signature