Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 8 Dec 2015 21:46:08 +0100
From: Felix Geyer <>
To: Reinhard Tartler <>,
Cc: Yves-Alexis Perez <>
Subject: Re: Re: CVE request for keepassx password database

On 04.12.2015 04:24, Reinhard Tartler wrote:
> On Mon, Nov 30, 2015 at 5:04 PM,  <> wrote:
>>> it seems that keepassx 0.4.3 export function are a bit buggy. Starting an
>>> export (using File / Export to / KeepassX XML file) and cancelling it leads to
>>> KeepassX saving a cleartext XML file in ~/.xml without any warning.
>>> This was reported privately to the Debian security team today, but it was
>>> actually reported publicly earlier in the Debian BTS. Unfortunately the
>>> maintainer didn't acknowledge the bug or forwarded it upstream, apparently.
>>> It's not a terrible bug per se because leaking a user password file on purpose
>>> would still require a lot of social engineering skills, but it still look like
>>> it should get a CVE (an user explicitly cancelling the export surely doesn't
>>> expect its passwords to be there in a hidden file.
>>>> canceling export operation creates cleartext copy of all of the user's
>>>> KeePassX password database entries
>>>> with Debian's default umask, the file is even world-readable in
>>>> multiuser machines
>> Use CVE-2015-8378.
> should fix the issue.

Yes, the patch looks good.

> Felix, I've imported the package from bzr to git and put it to
> collab-maint. I have not checked whether this issue also affects the
> 2.0 branch. Maybe this issue would make a good case for a 0.4.4
> release?

Thanks for taking care of updating the Debian package.
Version 2.0 has a different codebase and is not affected.

I've just released version 0.4.4:


Download attachment "signature.asc" of type "application/pgp-signature" (802 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ