Ubuntu
almanah package

[SRU] CVE-2013-1853: Almanah doesn't encrypt the database

Bug #1155000 reported by Angel Abad
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
almanah
Fix Released
Critical
0.10
Fix Released
Critical
0.9
Fix Released
Critical
almanah (Debian)
Fix Released
Unknown
almanah (Ubuntu)
Fix Released
High
Angel Abad
Quantal
Fix Released
High
Angel Abad
Raring
Fix Released
High
Angel Abad

Bug Description

GApplication doesn't use "quit_mainloop" event since GIO 2.32[1], so Almanah
doesn't encrypt the database[2] when the user close the application.
This a security problem for users.

[Test Case]
Open almanah, configure encryption, save some entries, and see file ~/.local/share/diary.db

[Regression Potential]
I think there is no option for regression, this patch is from upstream and specific for this problem.

Regards,

See original description

CVE References

Angel Abad (angelabad)
Changed in almanah (Ubuntu):
importance: Undecided → High
assignee: nobody → Angel Abad (angelabad)
Changed in almanah (Ubuntu Quantal):
importance: Undecided → High
assignee: nobody → Angel Abad (angelabad)
Changed in almanah (Ubuntu Raring):
status: New → In Progress
Changed in almanah (Ubuntu Quantal):
status: New → In Progress
Bug Watch Updater (bug-watch-updater)
Changed in almanah (Debian):
status: Unknown → Fix Released
Revision history for this message
Angel Abad (angelabad) wrote :

This bug was fixed in the package almanah - 0.10.1-1

---------------
almanah (0.10.1-1) experimental; urgency=high

  * Imported Upstream version 0.10.1 (Closes: #702905)

 -- Angel Abad <email address hidden> Tue, 12 Mar 2013 21:21:29 +0100

Changed in almanah (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Angel Abad (angelabad) wrote : Re: [SRU] Almanah doesn't encrypt the database
summary: - Almanah doesn't encrypt the database
+ [SRU] Almanah doesn't encrypt the database
description: updated
Revision history for this message
Angel Abad (angelabad) wrote :

Package upload to quantal-proposed.

Cheers

Angel Abad (angelabad)
summary: - [SRU] Almanah doesn't encrypt the database
+ [SRU] CVE-2013-1853: Almanah doesn't encrypt the database
Angel Abad (angelabad)
Changed in almanah (Ubuntu Quantal):
status: In Progress → Fix Committed
status: Fix Committed → In Progress
Revision history for this message
Brian Murray (brian-murray) wrote :

There was some discussion about this upload on #ubuntu-devel today:

13:50 < mdeslaur> bdmurray: it really should be built as a
                  security update
13:50 < mdeslaur> bdmurray: is it already in -proposed?
13:50 < bdmurray> mdeslaur: no its in the unapproved queue for Q
13:51 < mdeslaur> bdmurray: can you reject it, and we'll do it
                  as a security update?
13:51 < bdmurray> mdeslaur: sure will do
13:51 < mdeslaur> bdmurray: thanks
13:51 < bdmurray> mdeslaur: done

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

ACK on the quantal debdiff. This is currently building as a security update and will be released later today.

Thanks!

Marc Deslauriers (mdeslaur)
Changed in almanah (Ubuntu Quantal):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package almanah - 0.9.0-1ubuntu2.1

---------------
almanah (0.9.0-1ubuntu2.1) quantal-security; urgency=low

  * debian/patches/encrypt_database.patch: (LP: #1155000)
    - upstream patch to ensure encrypt the diary database.
    - CVE-2013-1853
 -- Angel Abad <email address hidden> Thu, 14 Mar 2013 21:17:12 +0100

Changed in almanah (Ubuntu Quantal):
status: Fix Committed → Fix Released
Revision history for this message
Angel Abad (angelabad) wrote :

Hi, thanks for your work.

Cheers,

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.