A CVE was assigned for a security issue in keepassx today (November 30): http://openwall.com/lists/oss-security/2015/11/30/9 Mageia 5 is also affected. There doesn't appear to be a fix yet. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO
A fix is now available. A link to it has been posted here: http://openwall.com/lists/oss-security/2015/12/04/2
keepassx 0.4.4 has been released, containing the fix mentioned in Comment 1: http://openwall.com/lists/oss-security/2015/12/08/9
URL: (none) => http://lwn.net/Vulnerabilities/667561/
I have uploaded an updated package for Mageia 5. The new version shouldn't save passwords as plain text file when export is canceled. Suggested advisory: ======================== Updated keepassx package fixes security vulnerability: Canceling export operation creates clear text copy of all of the user's KeePassX password database entries. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8378 ======================== Updated packages in core/updates_testing: ======================== keepassx-0.4.4-1.mga5 Source RPM: keepassx-0.4.4-1.mga5.src.rpm
Hardware: i586 => AllVersion: Cauldron => 5Assignee: mageia => qa-bugsWhiteboard: MGA5TOO => (none)
CC: (none) => doktor5000
Testing x86_64. With the old keepassx-0.4.3-8.mga5.x86_64: $ ll ~/.xml ls: cannot access /home/doktor5000/.xml: No such file or directory tested export File => Export to => Keepass XML file, pressed cancel. $ wc -l ~/.xml 4390 /home/doktor5000/.xml export contains cleartext passwords, ssh keys, vpn certificates and whatever is contained in your keepass database. What a mess :/ ---- With the candidate keepassx-0.4.4-1.mga5.x86_64 $ ll ~/.xml ls: cannot access /home/doktor5000/.xml: No such file or directory tested export File => Export to => Keepass XML file, pressed cancel. $ ll ~/.xml ls: cannot access /home/doktor5000/.xml: No such file or directory Looks good to me.
Status: NEW => ASSIGNEDWhiteboard: (none) => MGA5-64-OK
Validating. Advisory uploaded. Please push to 5 updates. Thanks
Keywords: (none) => validated_updateWhiteboard: MGA5-64-OK => has_procedure advisory MGA5-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0483.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
CC: (none) => pikachu17997
CC: (none) => davidwhodgins