1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1108942: krusader: exposes .zip passwords while (un)archiving

    From Samuel Plavec@1:229/2 to All on Tue Jul 8 13:10:01 2025
    From: [email protected]

    Package: krusader
    Version: 2:2.8.0-1
    Severity: normal
    Tags: security
    X-Debbugs-Cc: Debian Security Team <[email protected]>

    Dear Maintainer,

    I would like to report a security issue in Krusader. The
    version from Debian Unstable is also affected.

    When Krusader is used to create encrypted .zip files, or to
    unpack them, it runs the "zip"/"unzip" command, and passes the
    encryption password to the command using the "-P" option.
    As the zip(1) manual says, this is insecure, because it exposes
    the password to all processes, including processes of other
    users.

    This does not affect 7zip archives (at least not in a trivial
    way like .zip archives); the password is also passed to 7z
    using a command-line option, but is not readable from
    /proc/[PID]/cmdline; it is replaced by asterisks.

    Best regards,
    Samuel Plavec

    -- System Information:
    Debian Release: 12.11
    APT prefers stable-updates
    APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64)
    Foreign Architectures: i386

    Kernel: Linux 6.1.0-37-amd64 (SMP w/2 CPU threads; PREEMPT)
    Kernel taint flags: TAINT_CRAP
    Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
    Shell: /bin/sh linked to /usr/bin/dash
    Init: systemd (via /run/systemd/system)
    LSM: AppArmor: enabled

    Versions of packages krusader depends on:
    ii kinit 5.103.0-1
    ii kio 5.103.0-1+deb12u1
    ii libacl1 2.3.1-3
    ii libc6 2.36-9+deb12u10
    ii libkf5archive5 5.103.0-1
    ii libkf5bookmarks5 5.103.0-1
    ii libkf5codecs5 5.103.0-1
    ii libkf5completion5 5.103.0-1
    ii libkf5configcore5 5.103.0-2
    ii libkf5configgui5 5.103.0-2
    ii libkf5configwidgets5 5.103.0-1
    ii libkf5coreaddons5 5.103.0-1
    ii libkf5guiaddons5 5.103.0-1
    ii libkf5i18n5 5.103.0-1
    ii libkf5iconthemes5 5.103.0-1
    ii libkf5itemviews5 5.103.0-1
    ii libkf5jobwidgets5 5.103.0-1
    ii libkf5kiocore5 5.103.0-1+deb12u1
    ii libkf5kiofilewidgets5 5.103.0-1+deb12u1
    ii libkf5kiogui5 5.103.0-1+deb12u1
    ii libkf5kiowidgets5 5.103.0-1+deb12u1
    ii libkf5notifications5 5.103.0-1
    ii libkf5parts5 5.103.0-1
    ii libkf5service-bin 5.103.0-1
    ii libkf5service5 5.103.0-1
    ii libkf5solid5 5.103.0-1
    ii libkf5textwidgets5 5.103.0-1
    ii libkf5wallet-bin 5.103.0-1
    ii libkf5wallet5 5.103.0-1
    ii libkf5widgetsaddons5 5.103.0-1
    ii libkf5windowsystem5 5.103.0-1
    ii libkf5xmlgui5 5.103.0-1
    ii libqt5core5a 5.15.8+dfsg-11+deb12u3
    ii libqt5dbus5 5.15.8+dfsg-11+deb12u3
    ii libqt5gui5 5.15.8+dfsg-11+deb12u3
    ii libqt5printsupport5 5.15.8+dfsg-11+deb12u3
    ii libqt5widgets5 5.15.8+dfsg-11+deb12u3
    ii libqt5xml5 5.15.8+dfsg-11+deb12u3
    ii libstdc++6 12.2.0-14+deb12u1
    ii zlib1g 1:1.2.13.dfsg-1

    Versions of packages krusader recommends:
    ii kde-cli-tools 4:5.27.5.1-2
    ii keditbookmarks 22.12.3-1
    ii kio-extras 4:22.12.3-1

    Versions of packages krusader suggests:
    pn arj <none>
    pn ark <none>
    ii bzip2 1.0.8-5+b1
    ii cpio 2.13+dfsg-7.1
    ii kate 4:22.12.3-1
    pn kdiff3 | kompare | xxdiff <none>
    pn kmail <none>
    ii konsole 4:22.12.3-1+deb12u1
    pn krename <none>
    pn lha <none>
    pn md5deep | cfv <none>
    pn okteta <none>
    ii p7zip 16.02+dfsg-8
    pn rpm <none>
    pn unace <none>
    pn unrar | unrar-free | rar <none>
    ii unzip 6.0-28
    ii zip 3.0-13

    -- no debconf information

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)