Security issue in kwalletcli_getpin(1): tty I/O now properly disables echoing input when asking for a passphrase is not fixed

the initial discussion about this issue can be found here

https://answers.launchpad.net/ubuntu/+source/kwalletcli/+question/162805

https://www.mirbsd.org/cvs.cgi/contrib/hosted/tg/code/kwalletcli/kwalletcli_getpin.diff?r1=1.17;r2=1.18

The fix, if you want to backport it. HTH & HAND

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

sorry for the long waiting. I have patched the patch so it can be used with kwalletcli_2.0.3. You will find that patch as an attachment. Also i have created the debdiff.

It would be great if someone from the security-team is looking over my debdiff. I would be very happy for feedback about my first debdiff :)

The attachment "modified patch to applie on 2.03" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

i added "ubuntu-security-sponsors" on CC

Please have a look at the debdiff. Would be happy about feedback from you

Thanks for the debdiff, but there are a couple of changes that need to be done before it can be accepted:

- Please rename the patch from "debian-changes-2.03-1ubuntu2" to something more appropriate
- Please mention the patch in debian/changelog. For example:
   " - debian/patches/disable_echoing.patch: Merge Patch from kwalletcli 2.10..."
- Please add the appropriate tagging to the patch (such as upstream commit, this bug #, etc.), as per the guidelines here: http://dep.debian.net/deps/dep3/
- Please change the version number to "2.03-1ubuntu1.1" and the release to "natty-security", as per the guidelines here: https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging

Also, please describe the testing you've performed to make sure the package still works after the fix.

I'm unsubscribing ubuntu-security-sponsors for now. Please re-subscribe the group once a revised debdiff has been attached.

Thanks!

[Expired for kwalletcli (Ubuntu) because there has been no activity for 60 days.]