Fabre

#1108942 krusader: exposes .zip passwords while (un)archiving #1108942

Package:: krusader

Source:: krusader

Description:: twin-panel (commander-style) file manager

Submitter:: Samuel Plavec

Date:: 2025-07-20 07:43:01 UTC

Severity:: normal

Tags:

#1108942#5

Date:: 2025-07-08 11:00:00 UTC

From:

To:

Dear Maintainer,

I would like to report a security issue in Krusader. The
version from Debian Unstable is also affected.

When Krusader is used to create encrypted .zip files, or to
unpack them, it runs the "zip"/"unzip" command, and passes the
encryption password to the command using the "-P" option.
As the zip(1) manual says, this is insecure, because it exposes
the password to all processes, including processes of other
users.

This does not affect 7zip archives (at least not in a trivial
way like .zip archives); the password is also passed to 7z
using a command-line option, but is not readable from
/proc/[PID]/cmdline; it is replaced by asterisks.

Best regards,
Samuel Plavec

#1108942 krusader: exposes .zip passwords while (un)archiving #1108942

Just Reply to ...

Reply to submitter ...

Send control command (Silently)

Set Architecture Tags (Silently)