Re: Re: CVE request for keepassx password database export

[Felix Geyer <debfx () fobos de>]

On 04.12.2015 04:24, Reinhard Tartler wrote:
> On Mon, Nov 30, 2015 at 5:04 PM,  <cve-assign () mitre org> wrote:
> > > it seems that keepassx 0.4.3 export function are a bit buggy. Starting an
> > > export (using File / Export to / KeepassX XML file) and cancelling it leads to
> > > KeepassX saving a cleartext XML file in ~/.xml without any warning.
> > >
> > > This was reported privately to the Debian security team today, but it was
> > > actually reported publicly earlier in the Debian BTS. Unfortunately the
> > > maintainer didn't acknowledge the bug or forwarded it upstream, apparently.
> > >
> > > It's not a terrible bug per se because leaking a user password file on purpose
> > > would still require a lot of social engineering skills, but it still look like
> > > it should get a CVE (an user explicitly cancelling the export surely doesn't
> > > expect its passwords to be there in a hidden file.
> >
> > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=791858
> >
> > > > canceling export operation creates cleartext copy of all of the user's
> > > > KeePassX password database entries
> >
> > > > with Debian's default umask, the file is even world-readable in
> > > > multiuser machines
> >
> > Use CVE-2015-8378.
>
>
> http://anonscm.debian.org/cgit/collab-maint/keepassx.git/commit/?id=b3c9028db8ec3b8752ff47717ffc792d755c1294
> should fix the issue.

Yes, the patch looks good.


> Felix, I've imported the package from bzr to git and put it to
> collab-maint. I have not checked whether this issue also affects the
> 2.0 branch. Maybe this issue would make a good case for a 0.4.4
> release?

Thanks for taking care of updating the Debian package.
Version 2.0 has a different codebase and is not affected.

I've just released version 0.4.4:
https://www.keepassx.org/news/2015/12/551

Cheers,
Felix

Attachment: signature.asc
Description: OpenPGP digital signature