KDE 1549 Published by

A security issue has been discovered in kio_fish. kio_fish stores the typed password in KWallet even if the user doesn't check the "Remember" box.



Security issue with kio_fish

KDE Project Security Advisory
=============================

Title: kio_fish stores the typed password in KWallet even if the user doesn't check the "Remember" box.
Risk Rating: Low
CVE: CVE-2020-12755
Versions: kio-extras - all versions until 20.04.0
Date: 10th May 2020

Overview
========

fishProtocol::establishConnection in fish/fish.cpp in KDE kio-extras through 20.04.0
makes a cacheAuthentication call even if the user had not set the keepPassword option.
This may lead to unintended KWallet storage of the password.
This is considered a security issue by users who do not trust KWallet (e.g. because
passwords can be read in KWalletManager, given physical access).
Solution
========

- Update to kio-extras >= 20.04.1
- or apply the following patch:
https://commits.kde.org/kio-extras/d813cef3cecdec9af1532a40d677a203ff979145

Workarounds
===========

* Using SSH keys rather than passwords.
* Using sftp:// instead of fish://
* Deleting the password from KWallet using kwalletmanager.

Credits
=======

Thanks to Johannes Hofmann for reporting the issue, to Albert Astals Cid forthe initial reproduction and investigation, and to David Faure for the fix.