Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 30 Nov 2015 11:05:39 +0100
From: Yves-Alexis Perez <corsac@...ian.org>
To: oss-security@...ts.openwall.com, dev@...passx.org, Reinhard Tartler
	 <siretart@...ware.de>
Subject: CVE request for keepassx password database export

Hi,

it seems that keepassx 0.4.3 export function are a bit buggy. Starting an
export (using File / Export to / KeepassX XML file) and cancelling it leads to
KeepassX saving a cleartext XML file in ~/.xml without any warning.

This was reported privately to the Debian security team today, but it was
actually reported publicly earlier in the Debian BTS [1]. Unfortunately the
maintainer didn't acknowledge the bug or forwarded it upstream, apparently.

It's not a terrible bug per se because leaking a user password file on purpose
would still require a lot of social engineering skills, but it still look like
it should get a CVE (an user explicitly cancelling the export surely doesn't
expect its passwords to be there in a hidden file.

Can a CVE be assigned for this?

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=791858[1
-- 
Yves-Alexis


[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ