Yves-Alexis Perez
2012-Jul-03 09:37 UTC
[Secure-testing-team] Bug#680059: revelation: FPM exporter doesn''t encrypt password files [CVE-2012-3818]
Package: revelation Version: 0.4.13-1 Severity: grave Tags: security Justification: user security hole Hey, it seems that the revelation password manager has an issue in export function for the Figaro Password Manager format. A quick test seems to reveal that it uses in fact the XML (unencrypted) format, while still asking for a password and not warning the user that the export is insecure. I didn''t test the other export formats but it might be worth looking at them. This has been allowed CVE-2012-3818 References: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3818 http://knoxin.blogspot.co.uk/2012/06/revelation-password-manager-considered.html http://als.regnet.cz/fpm2/feedback/2 Regards, -- Yves-Alexis -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, ''unstable''), (500, ''testing''), (500, ''stable''), (1, ''experimental'') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages revelation depends on: ii gconf2 3.2.5-1 ii gnome-extra-icons 1.1-2 ii gnome-icon-theme 3.4.0-2 ii python 2.7.3-1 ii python-cracklib 2.8.19-1 ii python-crypto 2.6-2 ii python-gnome2 2.28.1+dfsg-1 ii python-gobject 3.2.2-1 ii python-gtk2 2.24.0-3 ii python2.6 2.6.8-0.2 ii python2.7 2.7.3-1 ii shared-mime-info 1.0-1 revelation recommends no packages. revelation suggests no packages. -- no debconf information