Debian Bug report logs - #702905
almanah: CVE-2013-1853: Almanah doesn't encrypt the database

version graph

Package: almanah; Maintainer for almanah is Angel Abad <angel@debian.org>; Source for almanah is src:almanah.

Reported by: Angel Abad <angel@debian.org>

Date: Tue, 12 Mar 2013 19:33:02 UTC

Severity: grave

Tags: fixed-upstream, security, upstream

Found in versions almanah/0.9.0-1, almanah/0.9.0-2

Fixed in versions almanah/0.10.1-1, almanah/0.9.1-1

Done: Angel Abad <angel@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://bugzilla.gnome.org/show_bug.cgi?id=695117

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org:
Bug#702905; Package almanah. (Tue, 12 Mar 2013 19:33:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Angel Abad <angel@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org. (Tue, 12 Mar 2013 19:33:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Angel Abad <angel@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: almanah: Almanah doesn't encrypt the database
Date: Tue, 12 Mar 2013 20:28:19 +0100
Package: almanah
Version: 0.9.0-2
Severity: grave
Tags: security upstream
Justification: user security hole

Dear Maintainer,
GApplication doesn't use "quit_mainloop" event since GIO 2.32[1], so Almanah
doesn't encrypt the database[2] when the user close the application.

Cheers,

-- System Information:
Debian Release: 7.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=es_ES.utf8, LC_CTYPE=es_ES.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages almanah depends on:
ii  dconf-gsettings-backend [gsettings-backend]  0.12.1-3
ii  gconf-service                                3.2.5-1+build1
ii  libatk1.0-0                                  2.4.0-2
ii  libc6                                        2.13-38
ii  libcairo-gobject2                            1.12.2-3
ii  libcairo2                                    1.12.2-3
ii  libcryptui0a                                 3.2.2-1
ii  libebook-1.2-13                              3.4.4-3
ii  libecal-1.2-11                               3.4.4-3
ii  libedataserver-1.2-16                        3.4.4-3
ii  libedataserverui-3.0-1                       3.4.4-3
ii  libgconf-2-4                                 3.2.5-1+build1
ii  libgdk-pixbuf2.0-0                           2.26.1-1
ii  libglib2.0-0                                 2.33.12+really2.32.4-5
ii  libgpg-error0                                1.10-3.1
ii  libgpgme11                                   1.2.0-1.4
ii  libgtk-3-0                                   3.4.2-6
ii  libgtkspell-3-0                              3.0.0~hg20110814-1
ii  libical0                                     0.48-2
ii  libpango1.0-0                                1.30.0-1
ii  libsoup2.4-1                                 2.38.1-2
ii  libsqlite3-0                                 3.7.15.2-1
ii  libxml2                                      2.8.0+dfsg1-7+nmu1

Versions of packages almanah recommends:
ii  seahorse  3.4.1-2

almanah suggests no packages.

-- no debconf information



Set Bug forwarded-to-address to 'https://bugzilla.gnome.org/show_bug.cgi?id=695117'. Request was from Angel Abad <angel@debian.org> to control@bugs.debian.org. (Tue, 12 Mar 2013 19:42:03 GMT) Full text and rfc822 format available.

Added tag(s) fixed-upstream. Request was from Angel Abad <angel@debian.org> to control@bugs.debian.org. (Tue, 12 Mar 2013 19:42:04 GMT) Full text and rfc822 format available.

Reply sent to Angel Abad <angel@debian.org>:
You have taken responsibility. (Tue, 12 Mar 2013 20:36:08 GMT) Full text and rfc822 format available.

Notification sent to Angel Abad <angel@debian.org>:
Bug acknowledged by developer. (Tue, 12 Mar 2013 20:36:08 GMT) Full text and rfc822 format available.

Message #14 received at 702905-close@bugs.debian.org (full text, mbox):

From: Angel Abad <angel@debian.org>
To: 702905-close@bugs.debian.org
Subject: Bug#702905: fixed in almanah 0.9.1-1
Date: Tue, 12 Mar 2013 20:32:31 +0000
Source: almanah
Source-Version: 0.9.1-1

We believe that the bug you reported is fixed in the latest version of
almanah, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 702905@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Angel Abad <angel@debian.org> (supplier of updated almanah package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 12 Mar 2013 20:57:12 +0100
Source: almanah
Binary: almanah
Architecture: source amd64
Version: 0.9.1-1
Distribution: unstable
Urgency: high
Maintainer: Angel Abad <angel@debian.org>
Changed-By: Angel Abad <angel@debian.org>
Description: 
 almanah    - Application to ease management of a personal diary
Closes: 702905
Changes: 
 almanah (0.9.1-1) unstable; urgency=high
 .
   * Imported Upstream version 0.9.1 (Closes: #702905)
Checksums-Sha1: 
 645bcbb7ca514de3f818307fa2da0d6260cb2b77 1428 almanah_0.9.1-1.dsc
 5fa618a475fc805e21e83c852b09682d683f2c48 428508 almanah_0.9.1.orig.tar.xz
 e9fab66efc5f7a83a5cb38b19b0df04d197a2086 3622 almanah_0.9.1-1.debian.tar.gz
 8773e9e08bc5f3bfa5e233466a829adb627f11d7 217840 almanah_0.9.1-1_amd64.deb
Checksums-Sha256: 
 a2e6166e6d16cafd2f96c2da80938ffbeea2a98ba38df5d36ba1ea82c1dce78c 1428 almanah_0.9.1-1.dsc
 84bdd7a67d4b8b1765639b10b090a1d0689191accf3eaa5a9905a940fcb91f4a 428508 almanah_0.9.1.orig.tar.xz
 8339a43c9114b57dcc263a1f00d46f152b3a1961df3073b3eed3f02234c5fab7 3622 almanah_0.9.1-1.debian.tar.gz
 ca128ee6e975c1e65b1abd915f36aa06500a84e4f92221e5a949b417cbad7be2 217840 almanah_0.9.1-1_amd64.deb
Files: 
 779a4f50049f073cf628064acce067b9 1428 gnome extra almanah_0.9.1-1.dsc
 92666a6d1597f665086a7297ae9ca103 428508 gnome extra almanah_0.9.1.orig.tar.xz
 8833d1317a8052b2e14fd903e8efa070 3622 gnome extra almanah_0.9.1-1.debian.tar.gz
 a4df63bb9a00b31bc3a993b86e3cd71a 217840 gnome extra almanah_0.9.1-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlE/jRIACgkQCY2uR+47wnmrngCgjHJcCg9eYnuH9EStmNXE9e4Q
bwUAn3Mgv5FwGo/PAON/T2nkxtIxEzfW
=gBbM
-----END PGP SIGNATURE-----




Reply sent to Angel Abad <angel@debian.org>:
You have taken responsibility. (Tue, 12 Mar 2013 20:36:10 GMT) Full text and rfc822 format available.

Notification sent to Angel Abad <angel@debian.org>:
Bug acknowledged by developer. (Tue, 12 Mar 2013 20:36:10 GMT) Full text and rfc822 format available.

Message #19 received at 702905-close@bugs.debian.org (full text, mbox):

From: Angel Abad <angel@debian.org>
To: 702905-close@bugs.debian.org
Subject: Bug#702905: fixed in almanah 0.10.1-1
Date: Tue, 12 Mar 2013 20:32:37 +0000
Source: almanah
Source-Version: 0.10.1-1

We believe that the bug you reported is fixed in the latest version of
almanah, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 702905@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Angel Abad <angel@debian.org> (supplier of updated almanah package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 12 Mar 2013 21:21:29 +0100
Source: almanah
Binary: almanah
Architecture: source amd64
Version: 0.10.1-1
Distribution: experimental
Urgency: high
Maintainer: Angel Abad <angel@debian.org>
Changed-By: Angel Abad <angel@debian.org>
Description: 
 almanah    - Application to ease management of a personal diary
Closes: 702905
Changes: 
 almanah (0.10.1-1) experimental; urgency=high
 .
   * Imported Upstream version 0.10.1 (Closes: #702905)
Checksums-Sha1: 
 38d4c1f5ca59d8a23a0138fe79125f891c4e0d71 1468 almanah_0.10.1-1.dsc
 c5f78fd8a6816833bb710b41421b63ba7e3f0b1e 438252 almanah_0.10.1.orig.tar.xz
 7738723c163db3415b93a5ded2cfe191760f3436 3766 almanah_0.10.1-1.debian.tar.gz
 011e0dca0762c8c598d332c37db970307b76d3d0 231476 almanah_0.10.1-1_amd64.deb
Checksums-Sha256: 
 82458a7a21ee610a4d9ddb05f49ab0a8ed78779af31526e693c6b0addf550017 1468 almanah_0.10.1-1.dsc
 122789c1baea1713102b200c0401d25395ec177a66ae22635d3ae2fecc1f08bd 438252 almanah_0.10.1.orig.tar.xz
 9632aa8e3d3c30da4e36dc642b333938556a0bfeb912d74fa401a2f5ee8600aa 3766 almanah_0.10.1-1.debian.tar.gz
 fb475439a189804d2a7acc28cf5988219fc07b506ef80ecfc704e6294e597144 231476 almanah_0.10.1-1_amd64.deb
Files: 
 d767aa04a1769f6df02bf613a27d5dd3 1468 gnome extra almanah_0.10.1-1.dsc
 c83c45519ced1a26a11efe538ef377f1 438252 gnome extra almanah_0.10.1.orig.tar.xz
 33321a3802f8f8a40966e0007742ac8c 3766 gnome extra almanah_0.10.1-1.debian.tar.gz
 a9795f1978d54c35c3130cc0321f9783 231476 gnome extra almanah_0.10.1-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlE/kFUACgkQCY2uR+47wnmHEwCeIkizMHSzTtsela3gYXNAj/yO
iSUAoJNPq6tJ4v+cfuFYJgmQ1NOEDfFH
=Go39
-----END PGP SIGNATURE-----




Marked as found in versions almanah/0.9.0-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 24 Mar 2013 09:12:04 GMT) Full text and rfc822 format available.

Changed Bug title to 'almanah: CVE-2013-1853: Almanah doesn't encrypt the database' from 'almanah: Almanah doesn't encrypt the database' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 24 Mar 2013 10:00:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Angel Abad <angel@debian.org>:
Bug#702905; Package almanah. (Sun, 24 Mar 2013 11:12:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Angel Abad <angel@debian.org>. (Sun, 24 Mar 2013 11:12:03 GMT) Full text and rfc822 format available.

Message #28 received at 702905@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Angel Abad <angel@debian.org>, 702911@bugs.debian.org
Cc: 702905@bugs.debian.org
Subject: Re: Bug#702911: unblock: almanah/0.9.1-1
Date: Sun, 24 Mar 2013 12:09:38 +0100
Hi Angel

Disclaimer: not part of the release team but noticed #702911 as the
corresponding #702905 in almanah fixes a security bug.

It looks that your unblock request never went trough the list, as the
debdiff is quite big. At this stage of the release the release team
will probably not acknowledge this unblock request.

I did only a short test: this looks also to a regression from Squeeze,
as in Squeeze it is possible to have a diary encrypted. But upgrading
to wheezy then the diary.db does not get encrypted after closing.

Regards,
Salvatore



Information forwarded to debian-bugs-dist@lists.debian.org, Angel Abad <angel@debian.org>:
Bug#702905; Package almanah. (Sun, 24 Mar 2013 14:21:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ivo De Decker <ivo.dedecker@ugent.be>:
Extra info received and forwarded to list. Copy sent to Angel Abad <angel@debian.org>. (Sun, 24 Mar 2013 14:21:08 GMT) Full text and rfc822 format available.

Message #33 received at 702905@bugs.debian.org (full text, mbox):

From: Ivo De Decker <ivo.dedecker@ugent.be>
To: Salvatore Bonaccorso <carnil@debian.org>
Cc: 702911@bugs.debian.org, Angel Abad <angel@debian.org>, 702905@bugs.debian.org
Subject: Re: Bug#702911: unblock: almanah/0.9.1-1
Date: Sun, 24 Mar 2013 15:17:17 +0100
[Message part 1 (text/plain, inline)]
Hi Angel and Salvatore,

On Sun, Mar 24, 2013 at 01:44:35PM +0100, Salvatore Bonaccorso wrote:

> On Sun, Mar 24, 2013 at 12:09:38PM +0100, Salvatore Bonaccorso wrote:
> > Disclaimer: not part of the release team but noticed #702911 as the
> > corresponding #702905 in almanah fixes a security bug.
> > 
> > It looks that your unblock request never went trough the list, as the
> > debdiff is quite big. At this stage of the release the release team
> > will probably not acknowledge this unblock request.
> > 
> > I did only a short test: this looks also to a regression from Squeeze,
> > as in Squeeze it is possible to have a diary encrypted. But upgrading
> > to wheezy then the diary.db does not get encrypted after closing.
> 
> Was a little bit to fast hitting enter sending the email, and did not
> propose something to this. With the above, I think best approach would
> be to upload an almanah package trough t-p-u versioned as
> 0.9.0-1+deb7u1 containing only the fix needed.

I took a look the patch, and it seems only the very last part (which changes
the code) is actually needed. I created a patch for a TPU version with only
this change and did some basic testing. With this patch, the db is encrypted.

> But this needs first an approval by the release team.

Obviously. But that seems more likely than a review of the diff between the
versions in wheeze and sid.

Cheers,

Ivo

[almanah_0.9.0-1+deb7u1.debdiff (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Angel Abad <angel@debian.org>:
Bug#702905; Package almanah. (Mon, 25 Mar 2013 06:51:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Angel Abad <angel@debian.org>. (Mon, 25 Mar 2013 06:51:04 GMT) Full text and rfc822 format available.

Message #38 received at 702905@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Salvatore Bonaccorso <carnil@debian.org>, 702905@bugs.debian.org
Cc: Angel Abad <angel@debian.org>, 702911-done@bugs.debian.org
Subject: Re: Bug#702905: Bug#702911: unblock: almanah/0.9.1-1
Date: Mon, 25 Mar 2013 06:46:01 +0000
On Sun, 2013-03-24 at 12:09 +0100, Salvatore Bonaccorso wrote:
> Disclaimer: not part of the release team but noticed #702911 as the
> corresponding #702905 in almanah fixes a security bug.
> 
> It looks that your unblock request never went trough the list, as the
> debdiff is quite big. At this stage of the release the release team
> will probably not acknowledge this unblock request.

It looks like Julien unblocked it yesterday, and it's already migrated.

Regards,

Adam




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#702905; Package almanah. (Mon, 25 Mar 2013 20:57:12 GMT) Full text and rfc822 format available.

Acknowledgement sent to Angel Abad <angel@debian.org>:
Extra info received and forwarded to list. (Mon, 25 Mar 2013 20:57:12 GMT) Full text and rfc822 format available.

Message #43 received at 702905@bugs.debian.org (full text, mbox):

From: Angel Abad <angel@debian.org>
To: 702911@bugs.debian.org
Cc: 702905@bugs.debian.org, Salvatore Bonaccorso <carnil@debian.org>, Ivo De Decker <ivo.dedecker@ugent.be>
Date: Mon, 25 Mar 2013 21:54:34 +0100
[Message part 1 (text/plain, inline)]
Hi, 0.9.1-1 is now in testing, thanks for your attention.

Cheers,

-- 
Angel Abad
angel@debian.org | angelabad@ubuntu.com | angelabad@gmail.com
http://www.pastelero.net
FPR: EBF6 080D 59D4 008A DF47  00D4 098D AE47 EE3B C279
[Message part 2 (text/html, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 23 Apr 2013 07:25:53 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 06:55:03 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.