Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 30 Nov 2015 11:05:39 +0100
From: Yves-Alexis Perez <>
To:,, Reinhard Tartler
Subject: CVE request for keepassx password database export


it seems that keepassx 0.4.3 export function are a bit buggy. Starting an
export (using File / Export to / KeepassX XML file) and cancelling it leads to
KeepassX saving a cleartext XML file in ~/.xml without any warning.

This was reported privately to the Debian security team today, but it was
actually reported publicly earlier in the Debian BTS [1]. Unfortunately the
maintainer didn't acknowledge the bug or forwarded it upstream, apparently.

It's not a terrible bug per se because leaking a user password file on purpose
would still require a lot of social engineering skills, but it still look like
it should get a CVE (an user explicitly cancelling the export surely doesn't
expect its passwords to be there in a hidden file.

Can a CVE be assigned for this?


Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ