Security issue with kio_fish

David Faure faure at
Sun May 10 00:59:37 BST 2020

KDE Project Security Advisory

Title:          kio_fish stores the typed password in KWallet even if the user doesn't check the "Remember" box.
Risk Rating:    Low
CVE:            CVE-2020-12755
Versions:       kio-extras - all versions until 20.04.0
Date:           10th May 2020

fishProtocol::establishConnection in fish/fish.cpp in KDE kio-extras through 20.04.0
makes a cacheAuthentication call even if the user had not set the keepPassword option.
This may lead to unintended KWallet storage of the password.

This is considered a security issue by users who do not trust KWallet (e.g. because
passwords can be read in KWalletManager, given physical access).

- Update to kio-extras >= 20.04.1
- or apply the following patch:

* Using SSH keys rather than passwords.
* Using sftp:// instead of fish://
* Deleting the password from KWallet using kwalletmanager.

Thanks to Johannes Hofmann for reporting the issue, to Albert Astals Cid for
the initial reproduction and investigation, and to David Faure for the fix.

David Faure, faure at,
Working on KDE Frameworks 5

More information about the kde-announce mailing list