Bug 31935

Summary: keepass new security issues CVE-2023-24055 and CVE-2023-32784
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, brtians1, davidwhodgins, geiger.david68210, herman.viaene, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: keepass-2.53.1-1.mga9.src.rpm CVE:
Status comment:

Description David Walser 2023-05-18 04:05:34 CEST 
A security issue in Keepass has been fixed upstream in 2.54:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32784

There is a public PoC and the issue has caught the attention of the press.

Mageia 8 is also affected.
David Walser 2023-05-18 04:05:45 CEST

Status comment: (none) => Fixed upstream in 2.54
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2023-05-19 21:22:19 CEST 
Assigning to you, DavidG, as you committed the current version fairly recently, so it is familiar territory.

Assignee: bugsquad => geiger.david68210

Comment 2 David Walser 2023-05-22 23:05:46 CEST 
https://amp.thehackernews.com/thn/2023/05/keepass-exploit-allows-attackers-to.html

This article also mentions another CVE.

Summary: keepass new security issue CVE-2023-32784 => keepass new security issues CVE-2023-24055 and CVE-2023-32784

Comment 3 David GEIGER 2023-06-17 19:12:06 CEST 
Done for Cauldron and mga8!

Freeze_move requested for Cauldron.
Comment 4 David GEIGER 2023-06-17 19:14:35 CEST 
Assigning to QA,

Packages in 8/Core/updates_testing:
======================
keepass-2.54-1.mga8.noarch.rpm

From SRPMS:
keepass-2.54-1.mga8.src.rpm

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Assignee: geiger.david68210 => qa-bugs
Status comment: Fixed upstream in 2.54 => (none)

David Walser 2023-06-17 19:37:50 CEST

CC: (none) => geiger.david68210

Comment 5 Herman Viaene 2023-06-20 17:05:51 CEST 
MGA8-64 MATE on Ace Aspire 5253
No installation issues
Ref bug 31475 and https://nerdymishka.com/articles/keepass-a-beginners-guide-to-password-management/ for testing
I could make a new entry for ww.testaankoop.be (consumers magazine on which i have a user and password) and then tried to follow the instructions from the site, I can open the site in firefox from keepass, but when I do "Perform Auto-type", it types the user/password on the CLI. What am I missing???

CC: (none) => herman.viaene

Comment 6 Brian Rockwell 2023-06-29 19:51:35 CEST 
MGA8-64, Plasma

To satisfy dependencies, the following package(s) also need to be installed:

- lib64gdiplus0-6.0.5-1.mga8.x86_64
- lib64xdotool3-3.20160805.1-3.mga8.x86_64
- mono-core-6.10.0-5.mga8.x86_64
- mono-data-6.10.0-5.mga8.x86_64
- mono-data-sqlite-6.10.0-5.mga8.x86_64
- mono-extras-6.10.0-5.mga8.x86_64
- mono-mvc-6.10.0-5.mga8.x86_64
- mono-wcf-6.10.0-5.mga8.x86_64
- mono-web-6.10.0-5.mga8.x86_64
- mono-winforms-6.10.0-5.mga8.x86_64
- xdotool-3.20160805.1-3.mga8.x86_64
- xsel-1.2.0-9.mga8.x86_64

97MB of additional disk space will be used.


I was able to create a new database
Add some entries
close keepas and come back in
Use keypas to open firefox with credentials

Seems to work for me

CC: (none) => brtians1
Whiteboard: (none) => MGA8-64-OK

Comment 7 Thomas Andrews 2023-07-01 14:21:23 CEST 
"There is a public PoC and the issue has caught the attention of the press."

Because if this I'm going to send this on based on comment 6. 

Herman, if you believe your problem in comment 5 may be something more than user error due to inexperience, please remove the validation.

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-07-06 23:00:12 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 8 Mageia Robot 2023-07-07 07:56:33 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0221.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED