Package: krusader Version: 2:2.8.0-1 Severity: normal Tags: security X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
Dear Maintainer, I would like to report a security issue in Krusader. The version from Debian Unstable is also affected. When Krusader is used to create encrypted .zip files, or to unpack them, it runs the "zip"/"unzip" command, and passes the encryption password to the command using the "-P" option. As the zip(1) manual says, this is insecure, because it exposes the password to all processes, including processes of other users. This does not affect 7zip archives (at least not in a trivial way like .zip archives); the password is also passed to 7z using a command-line option, but is not readable from /proc/[PID]/cmdline; it is replaced by asterisks. Best regards, Samuel Plavec -- System Information: Debian Release: 12.11 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.1.0-37-amd64 (SMP w/2 CPU threads; PREEMPT) Kernel taint flags: TAINT_CRAP Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages krusader depends on: ii kinit 5.103.0-1 ii kio 5.103.0-1+deb12u1 ii libacl1 2.3.1-3 ii libc6 2.36-9+deb12u10 ii libkf5archive5 5.103.0-1 ii libkf5bookmarks5 5.103.0-1 ii libkf5codecs5 5.103.0-1 ii libkf5completion5 5.103.0-1 ii libkf5configcore5 5.103.0-2 ii libkf5configgui5 5.103.0-2 ii libkf5configwidgets5 5.103.0-1 ii libkf5coreaddons5 5.103.0-1 ii libkf5guiaddons5 5.103.0-1 ii libkf5i18n5 5.103.0-1 ii libkf5iconthemes5 5.103.0-1 ii libkf5itemviews5 5.103.0-1 ii libkf5jobwidgets5 5.103.0-1 ii libkf5kiocore5 5.103.0-1+deb12u1 ii libkf5kiofilewidgets5 5.103.0-1+deb12u1 ii libkf5kiogui5 5.103.0-1+deb12u1 ii libkf5kiowidgets5 5.103.0-1+deb12u1 ii libkf5notifications5 5.103.0-1 ii libkf5parts5 5.103.0-1 ii libkf5service-bin 5.103.0-1 ii libkf5service5 5.103.0-1 ii libkf5solid5 5.103.0-1 ii libkf5textwidgets5 5.103.0-1 ii libkf5wallet-bin 5.103.0-1 ii libkf5wallet5 5.103.0-1 ii libkf5widgetsaddons5 5.103.0-1 ii libkf5windowsystem5 5.103.0-1 ii libkf5xmlgui5 5.103.0-1 ii libqt5core5a 5.15.8+dfsg-11+deb12u3 ii libqt5dbus5 5.15.8+dfsg-11+deb12u3 ii libqt5gui5 5.15.8+dfsg-11+deb12u3 ii libqt5printsupport5 5.15.8+dfsg-11+deb12u3 ii libqt5widgets5 5.15.8+dfsg-11+deb12u3 ii libqt5xml5 5.15.8+dfsg-11+deb12u3 ii libstdc++6 12.2.0-14+deb12u1 ii zlib1g 1:1.2.13.dfsg-1 Versions of packages krusader recommends: ii kde-cli-tools 4:5.27.5.1-2 ii keditbookmarks 22.12.3-1 ii kio-extras 4:22.12.3-1 Versions of packages krusader suggests: pn arj <none> pn ark <none> ii bzip2 1.0.8-5+b1 ii cpio 2.13+dfsg-7.1 ii kate 4:22.12.3-1 pn kdiff3 | kompare | xxdiff <none> pn kmail <none> ii konsole 4:22.12.3-1+deb12u1 pn krename <none> pn lha <none> pn md5deep | cfv <none> pn okteta <none> ii p7zip 16.02+dfsg-8 pn rpm <none> pn unace <none> pn unrar | unrar-free | rar <none> ii unzip 6.0-28 ii zip 3.0-13 -- no debconf information
