Bug 17262

Summary: keepassx new security issue CVE-2015-8378
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, doktor5000, pikachu17997, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/667561/
Whiteboard: has_procedure advisory MGA5-64-OK
Source RPM: keepassx-0.4.3-8.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-11-30 23:19:40 CET 
A CVE was assigned for a security issue in keepassx today (November 30):
http://openwall.com/lists/oss-security/2015/11/30/9

Mageia 5 is also affected.  There doesn't appear to be a fix yet.

Reproducible: 

Steps to Reproduce:
David Walser 2015-11-30 23:19:53 CET

Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2015-12-04 17:18:16 CET 
A fix is now available.  A link to it has been posted here:
http://openwall.com/lists/oss-security/2015/12/04/2
Comment 2 David Walser 2015-12-08 21:50:15 CET 
keepassx 0.4.4 has been released, containing the fix mentioned in Comment 1:
http://openwall.com/lists/oss-security/2015/12/08/9
David Walser 2015-12-11 19:29:22 CET

URL: (none) => http://lwn.net/Vulnerabilities/667561/

Comment 3 Sander Lepik 2015-12-12 19:19:32 CET 
I have uploaded an updated package for Mageia 5.

The new version shouldn't save passwords as plain text file when export is canceled.

Suggested advisory:
========================

Updated keepassx package fixes security vulnerability:

Canceling export operation creates clear text copy of all of the user's KeePassX password database entries.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8378
========================

Updated packages in core/updates_testing:
========================
keepassx-0.4.4-1.mga5

Source RPM:
keepassx-0.4.4-1.mga5.src.rpm

Hardware: i586 => All
Version: Cauldron => 5
Assignee: mageia => qa-bugs
Whiteboard: MGA5TOO => (none)

Florian Hubold 2015-12-14 02:23:20 CET

CC: (none) => doktor5000

Comment 4 Florian Hubold 2015-12-18 01:04:47 CET 
Testing x86_64. 

With the old keepassx-0.4.3-8.mga5.x86_64:

$ ll ~/.xml
ls: cannot access /home/doktor5000/.xml: No such file or directory

tested export File => Export to => Keepass XML file, pressed cancel.

$ wc -l ~/.xml
4390 /home/doktor5000/.xml

export contains cleartext passwords, ssh keys, vpn certificates and whatever is contained in your keepass database. What a mess :/

----

With the candidate keepassx-0.4.4-1.mga5.x86_64

$ ll ~/.xml
ls: cannot access /home/doktor5000/.xml: No such file or directory

tested export File => Export to => Keepass XML file, pressed cancel.

$ ll ~/.xml
ls: cannot access /home/doktor5000/.xml: No such file or directory


Looks good to me.

Status: NEW => ASSIGNED
Whiteboard: (none) => MGA5-64-OK

Comment 5 claire robinson 2015-12-24 10:40:17 CET 
Validating. Advisory uploaded.

Please push to 5 updates. Thanks

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK => has_procedure advisory MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2015-12-24 12:09:10 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0483.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

play game 2019-07-06 08:05:52 CEST

CC: (none) => pikachu17997

Dave Hodgins 2019-07-06 08:22:44 CEST

CC: (none) => davidwhodgins