CVE-2017-8296

NameCVE-2017-8296
Descriptionkedpm 0.5 and 1.0 creates a history file in ~/.kedpm/history that is written in cleartext. All of the commands performed in the password manager are written there. This can lead to the disclosure of the master password if the "password" command is used with an argument. The names of the password entries created and consulted are also accessible in cleartext.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-925-1
NVD severitymedium
Debian Bugs860817

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
kedpmsourcewheezy0.5.0-4+deb7u1DLA-925-1
kedpmsourcejessie1.0+deb8u1
kedpmsource(unstable)(unfixed)860817

Notes

patch in BTS gives workaround to always prompt for password and do not save
to database.
https://www.openwall.com/lists/oss-security/2017/04/25/9

Search for package or bug name: Reporting problems