Date: Tue, 8 Dec 2015 21:46:08 +0100 From: Felix Geyer <debfx@...os.de> To: Reinhard Tartler <siretart@...il.com>, oss-security@...ts.openwall.com Cc: Yves-Alexis Perez <corsac@...ian.org> Subject: Re: Re: CVE request for keepassx password database export On 04.12.2015 04:24, Reinhard Tartler wrote: > On Mon, Nov 30, 2015 at 5:04 PM, <cve-assign@...re.org> wrote: >>> it seems that keepassx 0.4.3 export function are a bit buggy. Starting an >>> export (using File / Export to / KeepassX XML file) and cancelling it leads to >>> KeepassX saving a cleartext XML file in ~/.xml without any warning. >>> >>> This was reported privately to the Debian security team today, but it was >>> actually reported publicly earlier in the Debian BTS. Unfortunately the >>> maintainer didn't acknowledge the bug or forwarded it upstream, apparently. >>> >>> It's not a terrible bug per se because leaking a user password file on purpose >>> would still require a lot of social engineering skills, but it still look like >>> it should get a CVE (an user explicitly cancelling the export surely doesn't >>> expect its passwords to be there in a hidden file. >> >>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=791858 >> >>>> canceling export operation creates cleartext copy of all of the user's >>>> KeePassX password database entries >> >>>> with Debian's default umask, the file is even world-readable in >>>> multiuser machines >> >> Use CVE-2015-8378. > > > http://anonscm.debian.org/cgit/collab-maint/keepassx.git/commit/?id=b3c9028db8ec3b8752ff47717ffc792d755c1294 > should fix the issue. Yes, the patch looks good. > Felix, I've imported the package from bzr to git and put it to > collab-maint. I have not checked whether this issue also affects the > 2.0 branch. Maybe this issue would make a good case for a 0.4.4 > release? Thanks for taking care of updating the Debian package. Version 2.0 has a different codebase and is not affected. I've just released version 0.4.4: https://www.keepassx.org/news/2015/12/551 Cheers, Felix Download attachment "signature.asc" of type "application/pgp-signature" (802 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ