apply PASSWORD_STORE_SIGNING_KEY to password files too?
Alexander Kjäll
alexander.kjall at gmail.com
Wed Nov 10 07:48:25 UTC 2021
I tried sending a patch to fix this vulnerability last year but I
don't think it was applied, and to be honest the patch needed more
work from someone better at shell scripting than me. See
https://blog.hackeriet.no/filename-rename-in-pass/ for my writeup of
this.
Den ons 10 nov. 2021 kl 01:07 skrev David Mandelberg <david at mandelberg.org>:
>
> I just thought about one more thing. Would it be possible for the
> signature to include the relative path too?
>
> browserpass-extension uses the relative path to determine what site the
> password is for, so an attacker with write access could copy
> good-site.example.com.gpg to attacker-controlled.example.net.gpg, then
> collect the password on attacker-controlled.example.net.
More information about the Password-Store
mailing list