pk12util displays the user's password in plain text, twice

RESOLVED FIXED in 3.9

Status

NSS
Tools
P1
normal
RESOLVED FIXED
15 years ago
15 years ago

People

(Reporter: Nelson Bolyard (seldom reads bugmail), Assigned: Nelson Bolyard (seldom reads bugmail))

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

Observe the following output from a run of the pk12util utility, reported in
the n.p.m.crypto newsgroup:

> >>pk12util -i "my.p12" -d "my directory" -v
> >
> > Enter Password or Pin for "NSS Certificate DB": *****
> > Enter password for PKCS12 file: *****
> > Converted from:
> > 73 77 61 6d 70 66 6f 78 31 31  0
> > Converted to:
> >  0 73  0 77  0 61  0 6d  0 70  0 66  0 6f  0 78  0 31  0 31  0  0 

Those last 4 lines show the user's password twice, once in UTF-8 and 
a second time in UCS-2.  This serves no useful purpose, and is a security
flaw.  The code that prints those 4 lines of output should be removed.
(Assignee)

Comment 1

15 years ago
Taking bug
Assignee: wtc → nelsonb
Priority: -- → P1
Target Milestone: --- → 3.9
(Assignee)

Updated

15 years ago
Status: NEW → ASSIGNED
(Assignee)

Comment 2

15 years ago
Created attachment 122276 [details] [diff] [review]
ifdef out offending code and remove some dead code.
(Assignee)

Comment 3

15 years ago
fixed in rev 1.26 of pk12util.c for NSS 3.9
Status: ASSIGNED → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.