17262 – keepassx new security issue CVE-2015-8378

Bug 17262 - keepassx new security issue CVE-2015-8378

Summary: keepassx new security issue CVE-2015-8378

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/667561/
Whiteboard:	has_procedure advisory MGA5-64-OK
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2015-11-30 23:19 CET by David Walser
Modified:	2019-07-06 10:34 CEST (History)
CC List:	4 users (show)

See Also:
Source RPM:	keepassx-0.4.3-8.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-11-30 23:19:40 CET

A CVE was assigned for a security issue in keepassx today (November 30):
http://openwall.com/lists/oss-security/2015/11/30/9

Mageia 5 is also affected.  There doesn't appear to be a fix yet.

Reproducible: 

Steps to Reproduce:

David Walser 2015-11-30 23:19:53 CET

Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2015-12-04 17:18:16 CET

A fix is now available.  A link to it has been posted here:
http://openwall.com/lists/oss-security/2015/12/04/2

Comment 2 David Walser 2015-12-08 21:50:15 CET

keepassx 0.4.4 has been released, containing the fix mentioned in Comment 1:
http://openwall.com/lists/oss-security/2015/12/08/9

David Walser 2015-12-11 19:29:22 CET

URL: (none) => http://lwn.net/Vulnerabilities/667561/

Comment 3 Sander Lepik 2015-12-12 19:19:32 CET

I have uploaded an updated package for Mageia 5.

The new version shouldn't save passwords as plain text file when export is canceled.

Suggested advisory:
========================

Updated keepassx package fixes security vulnerability:

Canceling export operation creates clear text copy of all of the user's KeePassX password database entries.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8378
========================

Updated packages in core/updates_testing:
========================
keepassx-0.4.4-1.mga5

Source RPM:
keepassx-0.4.4-1.mga5.src.rpm

Hardware: i586 => All
Version: Cauldron => 5
Assignee: mageia => qa-bugs
Whiteboard: MGA5TOO => (none)

Florian Hubold 2015-12-14 02:23:20 CET

CC: (none) => doktor5000

Comment 4 Florian Hubold 2015-12-18 01:04:47 CET

Testing x86_64. 

With the old keepassx-0.4.3-8.mga5.x86_64:

$ ll ~/.xml
ls: cannot access /home/doktor5000/.xml: No such file or directory

tested export File => Export to => Keepass XML file, pressed cancel.

$ wc -l ~/.xml
4390 /home/doktor5000/.xml

export contains cleartext passwords, ssh keys, vpn certificates and whatever is contained in your keepass database. What a mess :/

----

With the candidate keepassx-0.4.4-1.mga5.x86_64

$ ll ~/.xml
ls: cannot access /home/doktor5000/.xml: No such file or directory

tested export File => Export to => Keepass XML file, pressed cancel.

$ ll ~/.xml
ls: cannot access /home/doktor5000/.xml: No such file or directory


Looks good to me.

Status: NEW => ASSIGNED
Whiteboard: (none) => MGA5-64-OK

Comment 5 claire robinson 2015-12-24 10:40:17 CET

Validating. Advisory uploaded.

Please push to 5 updates. Thanks

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK => has_procedure advisory MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2015-12-24 12:09:10 CET

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0483.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

play game 2019-07-06 08:05:52 CEST

CC: (none) => pikachu17997

Dave Hodgins 2019-07-06 08:22:44 CEST

CC: (none) => davidwhodgins

Note You need to log in before you can comment on or make changes to this bug.