Date: Mon, 30 Nov 2015 17:04:22 -0500 (EST) From: cve-assign@...re.org To: corsac@...ian.org Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, dev@...passx.org, siretart@...ware.de Subject: Re: CVE request for keepassx password database export -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > it seems that keepassx 0.4.3 export function are a bit buggy. Starting an > export (using File / Export to / KeepassX XML file) and cancelling it leads to > KeepassX saving a cleartext XML file in ~/.xml without any warning. > > This was reported privately to the Debian security team today, but it was > actually reported publicly earlier in the Debian BTS. Unfortunately the > maintainer didn't acknowledge the bug or forwarded it upstream, apparently. > > It's not a terrible bug per se because leaking a user password file on purpose > would still require a lot of social engineering skills, but it still look like > it should get a CVE (an user explicitly cancelling the export surely doesn't > expect its passwords to be there in a hidden file. > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=791858 >> canceling export operation creates cleartext copy of all of the user's >> KeePassX password database entries >> with Debian's default umask, the file is even world-readable in >> multiuser machines Use CVE-2015-8378. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWXMX0AAoJEL54rhJi8gl568AQAMPk+Vtell3O4tGMdvlKi2RE BOXFZA9wA6TtVqFWtQ+Kbgsi70ix2Cwc+vVvZIunPyAWGXaQ5jb9XtZ0G0YQ/K8O /SIsOIgaObO59DPI8JUWvb7Pfj5C3ltb80gIV5+G/3exeWeEp4F8Q9T9SglZhpga Av351FYWgkHS28l2Kgh832nrAl3aRjMOGxhgw758oXaU7IeJzSAtRv79fDMBuziR 7yQ8M7uD/VO9ZJSt1BPzMluz+B5cPzUqSuhxVor4SvxIxhFQWmo4eAiy3d4CD2Qr B2qp77ity537ZXto/L4fPomAoZZbB9nEJJCaudWvdlCVj859KKiUU6zW6T89HvB1 iBo3p0N+4WDTe2/btkfXh0OFizmC2XP1qSR5BqfgoRCBNTohSAf/Al67d8RoZpx+ sLAZwCWs8w8z0RZsHvkexPv7V9BTOn5enzDrEqvdBsO5CPWdIuY+CVo0WWuo53ag ESufvOqo8awLO+XDuI+3GXcKYPFAKrrreBiIeHS3NgT/mkXQT8OkhqUnQk10j0Z0 TK5k9zoMhPEu2MOJDbvJdbtgEFe1He2ZdsjlAGrWd8V5fzCTA7Sf/tH5Hz6GiJft ZppT3OTzmNokQ2QR4xE5M0RwAnxxnfu0hsGqvLblajX0eG/6YpoOybqy/WOemaok mS14P6ybQKUxW+XbN9YK =kZt7 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ