Package: tomb Version: 2.7+dfsg2-2 Severity: important Tags: security,upstream Forwarded: https://github.com/dyne/Tomb/issues/392 X-Debbugs-Cc: car...@debian.org, Debian Security Team < t...@security.debian.org>
The flaw described in bug #974719 [1] still shows up when using Tomb in debug mode (-D added to all calls). Other than stated in bug #974719 [1] tomb 2.5+dfsg1-2 is not affected. This is the issue I opened upstream: ------ Start of copied message ------ [...] the fix https://github.com/dyne/Tomb/pull/386 for https://github.com/dyne/Tomb/issues/385 only hides the issue. When doing all the calls to tomb with the -D parameter added the problem is back tomb dig -D -s20 test.tomb DISPLAY=':0' tomb forge -D -f -k test.key DISPLAY=':0' tomb lock -D -k test.key test.tomb DISPLAY=':0' tomb open -D -f -k test.key test.tomb Only the injected password is now a different one. On my test system it is: tomb [D] asking password with tty=/dev/pts/0 lc-ctype=en_US.UTF-8 Actually ask_password returns several lines of debug output followed by the read in password: tomb [D] asking password with tty=/dev/pts/0 lc-ctype=en_US.UTF-8 tomb [D] using pinentry-curses tomb [D] Detected DISPLAY, but only pinentry-curses is found. 1234 The root cause for the issue is a change to _msg introduced with commit 477ab204439ddb88d7293d3c35a29e29751feda9, "Overhaul message printing". Before this commit _msg wrote all its output to stderr. Since the change only failure notifications go to stderr, everything else goes to stdout. As ask_password returns the read password per stdout, messages printed to stdout from within ask_password beforehand plus the read password are received by the calling code on consecutive lines. The first of these lines is picked as password then. Not sure how this can be fixed reliably. Maybe ask_password should return the password in a global variable instead of passing it per stdout. Regarding CVE-2020-28638: ----------------------------------------- The commit happened on Nov 24, 2018. This means the flaw affects only Tomb 2.6 and 2.7. CVE-2020-28638's description should be corrected in this regard. [...] ------ End of copied message ------ Sven [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=974719 -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 5.9.0-1-amd64 (SMP w/8 CPU threads) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages tomb depends on: ii cryptsetup-bin 2:2.3.4-1 ii e2fsprogs 1.45.6-1 ii file 1:5.38-5 ii gettext-base 0.19.8.1-10 ii gnupg 2.2.20-1 ii libc6 2.31-4 ii libgcrypt20 1.8.7-2 ii pinentry-gnome3 [pinentry] 1.1.0-4 ii sudo 1.9.3p1-1 ii zsh 5.8-5 Versions of packages tomb recommends: ii lsof 4.93.2+dfsg-1 Versions of packages tomb suggests: pn dcfldd <none> pn qrencode <none> pn steghide <none> pn swish-e <none> ii unoconv 0.7-2 -- no debconf information -- GPG Fingerprint 3DF5 E8AA 43FC 9FDF D086 F195 ADF5 0EDA F8AD D585
