Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 3 Dec 2015 22:24:47 -0500
From: Reinhard Tartler <siretart@...il.com>
To: oss-security@...ts.openwall.com
Cc: Yves-Alexis Perez <corsac@...ian.org>, cve-assign@...re.org, dev@...passx.org, 
	Reinhard Tartler <siretart@...ware.de>, debfx-pkg@...os.de
Subject: Re: Re: CVE request for keepassx password database export

On Mon, Nov 30, 2015 at 5:04 PM,  <cve-assign@...re.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
>> it seems that keepassx 0.4.3 export function are a bit buggy. Starting an
>> export (using File / Export to / KeepassX XML file) and cancelling it leads to
>> KeepassX saving a cleartext XML file in ~/.xml without any warning.
>>
>> This was reported privately to the Debian security team today, but it was
>> actually reported publicly earlier in the Debian BTS. Unfortunately the
>> maintainer didn't acknowledge the bug or forwarded it upstream, apparently.
>>
>> It's not a terrible bug per se because leaking a user password file on purpose
>> would still require a lot of social engineering skills, but it still look like
>> it should get a CVE (an user explicitly cancelling the export surely doesn't
>> expect its passwords to be there in a hidden file.
>
>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=791858
>
>>> canceling export operation creates cleartext copy of all of the user's
>>> KeePassX password database entries
>
>>> with Debian's default umask, the file is even world-readable in
>>> multiuser machines
>
> Use CVE-2015-8378.


http://anonscm.debian.org/cgit/collab-maint/keepassx.git/commit/?id=b3c9028db8ec3b8752ff47717ffc792d755c1294
should fix the issue.

Felix, I've imported the package from bzr to git and put it to
collab-maint. I have not checked whether this issue also affects the
2.0 branch. Maybe this issue would make a good case for a 0.4.4
release?

Best,
Reinhard

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ