15246 – Personnal wallets can not be opened after KDE update

Bug 15246 - Personnal wallets can not be opened after KDE update

Summary: Personnal wallets can not be opened after KDE update

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	RPM Packages (show other bugs)
Version:	4
Hardware:	All Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	QA Team
QA Contact:

URL:
Whiteboard:	has_procedure advisory mga4-64-ok mga...
Keywords:	UPSTREAM, validated_update

Depends on:
Blocks:

Reported:	2015-02-09 22:57 CET by Vincent D
Modified:	2015-03-05 20:34 CET (History)
CC List:	5 users (show)

See Also:	https://bugs.kde.org/show_bug.cgi?id=343718
Source RPM:	kdebase4-runtime-4.12.5-1.3.mga4
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Vincent D 2015-02-09 22:57:31 CET

Description of problem:

The standard "kdewallet" wallet can be opened after updating kdebase4-runtime-4.12.5-1.3.mga4, but the others (e.g. "passwords" wallet in my case) can't: there is a "Error code -9: wrong password" error.


It can be related to the update because the encryption method seems to have changed:
https://bugs.mageia.org/show_bug.cgi?id=14997


The bug is reported at the KDE bugzilla:
https://bugs.kde.org/show_bug.cgi?id=343718

The solution is to downgrade the package to backup non-standard wallets (as xml), then upgrade and import them using kwalletmanager.

My guess is that the standard "kdewallet" is re-encrypted using the new method, but the other wallets are simply ignored, thus using the old encryption method. Thus even the error message is wrong: concerned .kwl files can be read with the password refused by kwallet using the "kwallet-dump" python utility.
If it is the case, then the kwallet developers did a huge mistake because it can lead to (a lot of) passwords lost !


Can an indication be added somewhere before the update process (e.g. in drakrpm-update) ?


Reproducible: 

Steps to Reproduce:

Comment 1 Marja Van Waes 2015-02-10 00:26:25 CET

thx for your report, Vincent.

Assigning to maintainer.

Keywords: (none) => UPSTREAM
CC: (none) => marja11
See Also: (none) => https://bugs.kde.org/show_bug.cgi?id=343718
Assignee: bugsquad => lmenut
Summary: Personnal wallets can not be opened after update => Personnal wallets can not be opened after KDE update

Comment 2 Luc Menut 2015-02-10 21:38:45 CET

I added this bugreport in comment to upstream bug
https://bugs.kde.org/show_bug.cgi?id=343718#c13

Vincent, please, could you reply and comment directly in upstream bugreport, like question in comment 15. It will be faster.

Comment 3 Vincent D 2015-02-11 01:04:46 CET

Done, thanks.

Comment 4 Luc Menut 2015-03-01 17:12:14 CET

Suggested advisory:

Updated kdebase4-runtime packages fix random wallet open failure

The security vulnerability fix for CVE-2013-7252 has introduced a regression for secondary wallets, which sometimes can't be opened.
The issue is fixed with this update.

References:
https://bugs.mageia.org/show_bug.cgi?id=15246
https://bugs.kde.org/show_bug.cgi?id=343718

src.rpm:
kdebase4-runtime-4.12.5-1.4.mga4.src.rpm

packages i586:
kdebase4-runtime-4.12.5-1.4.mga4.i586.rpm
kdebase4-runtime-devel-4.12.5-1.4.mga4.i586.rpm
kdebase4-runtime-handbook-4.12.5-1.4.mga4.noarch.rpm
kwallet-daemon-4.12.5-1.4.mga4.i586.rpm
libkwalletbackend4-4.12.5-1.4.mga4.i586.rpm
libmolletnetwork4-4.12.5-1.4.mga4.i586.rpm
nepomuk-4.12.5-1.4.mga4.i586.rpm

packages x86_64:
kdebase4-runtime-4.12.5-1.4.mga4.x86_64.rpm
kdebase4-runtime-devel-4.12.5-1.4.mga4.x86_64.rpm
kdebase4-runtime-handbook-4.12.5-1.4.mga4.noarch.rpm
kwallet-daemon-4.12.5-1.4.mga4.x86_64.rpm
lib64kwalletbackend4-4.12.5-1.4.mga4.x86_64.rpm
lib64molletnetwork4-4.12.5-1.4.mga4.x86_64.rpm
nepomuk-4.12.5-1.4.mga4.x86_64.rpm

an example of problematic wallet is available in upstream bugreport
https://bugs.kde.org/show_bug.cgi?id=343718#c33
testcase2.tgz should be extracted in ~/.kde4/share/apps/kwallet/

CC: (none) => lmenut, security
Hardware: x86_64 => All
Assignee: lmenut => qa-bugs

Comment 5 claire robinson 2015-03-05 15:32:59 CET

Testing complete mga4 64

Confirmed the bug  using the testcase2.tgz wallet extracted into ~/.kde4/share/apps/kwallet

Upon opening the wallet with password "testcase" it shows 
"Error code -4: Unsupported file format revision"

With updates installed the wallet opens without error.

Whiteboard: (none) => has_procedure mga4-64-ok

Comment 6 David GEIGER 2015-03-05 16:37:07 CET

Tested mga4_32,

Testing complete for kdebase4-runtime-4.12.5-1.4.mga4, I confirm the fix for random wallet open failure.


Upon opening the wallet with password "testcase" it shows 
"Error code -4: Unsupported file format revision"

French error:
 "Erreur lors de l'ouverture du portefeuille testcase.kwl."
 "Veuillez réessayer."
 "(Code d'erreur -4 : Révision de format de fichier non prise en charge)"

With updates installed now the wallet opens without error.

CC: (none) => geiger.david68210

David GEIGER 2015-03-05 16:38:32 CET

Whiteboard: has_procedure mga4-64-ok => has_procedure mga4-64-ok mga4-32-ok

Comment 7 claire robinson 2015-03-05 18:05:28 CET

Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure mga4-64-ok mga4-32-ok => has_procedure advisory mga4-64-ok mga4-32-ok
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2015-03-05 20:34:53 CET

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGAA-2015-0018.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.