Blog @ Dockers DEV Site

Updates · Faq · Home · Blog-Index 

06/01/2023 - Security Update for pwman - please use pwman 0.5.0

My password manager pwman is a small private project that I cherish and maintain. Unfortunately a security problem has crept in. In versions smaller than 0.5.0 a 16byte key is defined. Unfortunately there were problems where the program simply used the 16 bytes in its initial form instead of the key. That was always [0x10; 0x0]. Well, 16bytes of zeros. So you might work with a useless key all the time.

This has been fixed now with Version 0.5.0. When you update the program, pwman will always tell you that you have an old 16byte key. In this case you should copy the two files .key.pwds and .pwds from your homefolder and start the program with the argument --updatekey. With this command the key will be renewed and enlarged to 176 byte. The database is automatically initialized to this key and saved.

A little Postmortem:
Interestingly the desire for larger key length had brought me on the track. Of course I had to install a fallback for 16byte keys, which suddenly didn't worked anymore. I figured out that the key in most cases couldn't transformed to utf_8. But instead of throwing a panic!() it left the initialized [0x10; 0x0] untouched.

By the fact that the keylenght was right, the mod aes had no reason to panic!() as well. Only the fact that the mod keys::init_key() now returns a Vec<u8> because we expect a 16 or 176 byte key, led to the issue that the key wasn't used before.

Therefore - make a quick update, please!


Last change 06/01/2023 by Docker Rocker.
This page uses no cookies, no tracking - just HTML.
Author: "Docker Rocker" ~ 2023 · [Public Git]