[Secure-testing-team] Bug#680059: revelation: FPM exporter doesn't encrypt password files [CVE-2012-3818]
Yves-Alexis Perez
corsac at debian.org
Tue Jul 3 09:37:56 UTC 2012
Package: revelation
Version: 0.4.13-1
Severity: grave
Tags: security
Justification: user security hole
Hey,
it seems that the revelation password manager has an issue in export
function for the Figaro Password Manager format. A quick test seems to
reveal that it uses in fact the XML (unencrypted) format, while still
asking for a password and not warning the user that the export is
insecure.
I didn't test the other export formats but it might be worth looking at
them.
This has been allowed CVE-2012-3818
References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3818
http://knoxin.blogspot.co.uk/2012/06/revelation-password-manager-considered.html
http://als.regnet.cz/fpm2/feedback/2
Regards,
--
Yves-Alexis
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages revelation depends on:
ii gconf2 3.2.5-1
ii gnome-extra-icons 1.1-2
ii gnome-icon-theme 3.4.0-2
ii python 2.7.3-1
ii python-cracklib 2.8.19-1
ii python-crypto 2.6-2
ii python-gnome2 2.28.1+dfsg-1
ii python-gobject 3.2.2-1
ii python-gtk2 2.24.0-3
ii python2.6 2.6.8-0.2
ii python2.7 2.7.3-1
ii shared-mime-info 1.0-1
revelation recommends no packages.
revelation suggests no packages.
-- no debconf information
More information about the Secure-testing-team
mailing list