[Pkg-kde-extras] Bug#1108942: krusader: exposes .zip passwords while (un)archiving
Samuel Plavec
samuelplavec at gmail.com
Tue Jul 8 12:00:00 BST 2025
Package: krusader
Version: 2:2.8.0-1
Severity: normal
Tags: security
X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
Dear Maintainer,
I would like to report a security issue in Krusader. The
version from Debian Unstable is also affected.
When Krusader is used to create encrypted .zip files, or to
unpack them, it runs the "zip"/"unzip" command, and passes the
encryption password to the command using the "-P" option.
As the zip(1) manual says, this is insecure, because it exposes
the password to all processes, including processes of other
users.
This does not affect 7zip archives (at least not in a trivial
way like .zip archives); the password is also passed to 7z
using a command-line option, but is not readable from
/proc/[PID]/cmdline; it is replaced by asterisks.
Best regards,
Samuel Plavec
-- System Information:
Debian Release: 12.11
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.1.0-37-amd64 (SMP w/2 CPU threads; PREEMPT)
Kernel taint flags: TAINT_CRAP
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages krusader depends on:
ii kinit 5.103.0-1
ii kio 5.103.0-1+deb12u1
ii libacl1 2.3.1-3
ii libc6 2.36-9+deb12u10
ii libkf5archive5 5.103.0-1
ii libkf5bookmarks5 5.103.0-1
ii libkf5codecs5 5.103.0-1
ii libkf5completion5 5.103.0-1
ii libkf5configcore5 5.103.0-2
ii libkf5configgui5 5.103.0-2
ii libkf5configwidgets5 5.103.0-1
ii libkf5coreaddons5 5.103.0-1
ii libkf5guiaddons5 5.103.0-1
ii libkf5i18n5 5.103.0-1
ii libkf5iconthemes5 5.103.0-1
ii libkf5itemviews5 5.103.0-1
ii libkf5jobwidgets5 5.103.0-1
ii libkf5kiocore5 5.103.0-1+deb12u1
ii libkf5kiofilewidgets5 5.103.0-1+deb12u1
ii libkf5kiogui5 5.103.0-1+deb12u1
ii libkf5kiowidgets5 5.103.0-1+deb12u1
ii libkf5notifications5 5.103.0-1
ii libkf5parts5 5.103.0-1
ii libkf5service-bin 5.103.0-1
ii libkf5service5 5.103.0-1
ii libkf5solid5 5.103.0-1
ii libkf5textwidgets5 5.103.0-1
ii libkf5wallet-bin 5.103.0-1
ii libkf5wallet5 5.103.0-1
ii libkf5widgetsaddons5 5.103.0-1
ii libkf5windowsystem5 5.103.0-1
ii libkf5xmlgui5 5.103.0-1
ii libqt5core5a 5.15.8+dfsg-11+deb12u3
ii libqt5dbus5 5.15.8+dfsg-11+deb12u3
ii libqt5gui5 5.15.8+dfsg-11+deb12u3
ii libqt5printsupport5 5.15.8+dfsg-11+deb12u3
ii libqt5widgets5 5.15.8+dfsg-11+deb12u3
ii libqt5xml5 5.15.8+dfsg-11+deb12u3
ii libstdc++6 12.2.0-14+deb12u1
ii zlib1g 1:1.2.13.dfsg-1
Versions of packages krusader recommends:
ii kde-cli-tools 4:5.27.5.1-2
ii keditbookmarks 22.12.3-1
ii kio-extras 4:22.12.3-1
Versions of packages krusader suggests:
pn arj <none>
pn ark <none>
ii bzip2 1.0.8-5+b1
ii cpio 2.13+dfsg-7.1
ii kate 4:22.12.3-1
pn kdiff3 | kompare | xxdiff <none>
pn kmail <none>
ii konsole 4:22.12.3-1+deb12u1
pn krename <none>
pn lha <none>
pn md5deep | cfv <none>
pn okteta <none>
ii p7zip 16.02+dfsg-8
pn rpm <none>
pn unace <none>
pn unrar | unrar-free | rar <none>
ii unzip 6.0-28
ii zip 3.0-13
-- no debconf information
More information about the pkg-kde-extras
mailing list