Date: Mon, 30 Nov 2015 11:05:39 +0100 From: Yves-Alexis Perez <corsac@...ian.org> To: oss-security@...ts.openwall.com, dev@...passx.org, Reinhard Tartler <siretart@...ware.de> Subject: CVE request for keepassx password database export Hi, it seems that keepassx 0.4.3 export function are a bit buggy. Starting an export (using File / Export to / KeepassX XML file) and cancelling it leads to KeepassX saving a cleartext XML file in ~/.xml without any warning. This was reported privately to the Debian security team today, but it was actually reported publicly earlier in the Debian BTS . Unfortunately the maintainer didn't acknowledge the bug or forwarded it upstream, apparently. It's not a terrible bug per se because leaking a user password file on purpose would still require a lot of social engineering skills, but it still look like it should get a CVE (an user explicitly cancelling the export surely doesn't expect its passwords to be there in a hidden file. Can a CVE be assigned for this?  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=791858[1 -- Yves-Alexis [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ