oss-sec mailing list archives
CVE request for keepassx password database export
From: Yves-Alexis Perez <corsac () debian org>
Date: Mon, 30 Nov 2015 11:05:39 +0100
Hi, it seems that keepassx 0.4.3 export function are a bit buggy. Starting an export (using File / Export to / KeepassX XML file) and cancelling it leads to KeepassX saving a cleartext XML file in ~/.xml without any warning. This was reported privately to the Debian security team today, but it was actually reported publicly earlier in the Debian BTS [1]. Unfortunately the maintainer didn't acknowledge the bug or forwarded it upstream, apparently. It's not a terrible bug per se because leaking a user password file on purpose would still require a lot of social engineering skills, but it still look like it should get a CVE (an user explicitly cancelling the export surely doesn't expect its passwords to be there in a hidden file. Can a CVE be assigned for this? [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=791858[1 -- Yves-Alexis
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- CVE request for keepassx password database export Yves-Alexis Perez (Nov 30)
- Re: CVE request for keepassx password database export cve-assign (Nov 30)
- Re: Re: CVE request for keepassx password database export Reinhard Tartler (Dec 03)
- Re: Re: CVE request for keepassx password database export Felix Geyer (Dec 08)
- Re: Re: CVE request for keepassx password database export Reinhard Tartler (Dec 03)
- Re: CVE request for keepassx password database export cve-assign (Nov 30)