CVE-2017-8296

NameCVE-2017-8296
Descriptionkedpm 0.5 and 1.0 creates a history file in ~/.kedpm/history that is written in cleartext. All of the commands performed in the password manager are written there. This can lead to the disclosure of the master password if the "password" command is used with an argument. The names of the password entries created and consulted are also accessible in cleartext.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-925-1
NVD severitymedium
Debian Bugs860817

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
kedpm (PTS)jessie1.0+deb8u1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
kedpmsource(unstable)(unfixed)860817
kedpmsourcejessie1.0+deb8u1
kedpmsourcewheezy0.5.0-4+deb7u1DLA-925-1

Notes

patch in BTS gives workaround to always prompt for password and do not save
to database.
http://www.openwall.com/lists/oss-security/2017/04/25/9

Search for package or bug name: Reporting problems