Bug 31935 - keepass new security issues CVE-2023-24055 and CVE-2023-32784
Summary: keepass new security issues CVE-2023-24055 and CVE-2023-32784
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2023-05-18 04:05 CEST by David Walser
Modified: 2023-07-07 07:56 CEST (History)
6 users (show)

See Also:
Source RPM: keepass-2.53.1-1.mga9.src.rpm
Status comment:


Description David Walser 2023-05-18 04:05:34 CEST
A security issue in Keepass has been fixed upstream in 2.54:

There is a public PoC and the issue has caught the attention of the press.

Mageia 8 is also affected.
David Walser 2023-05-18 04:05:45 CEST

Status comment: (none) => Fixed upstream in 2.54
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2023-05-19 21:22:19 CEST
Assigning to you, DavidG, as you committed the current version fairly recently, so it is familiar territory.

Assignee: bugsquad => geiger.david68210

Comment 2 David Walser 2023-05-22 23:05:46 CEST

This article also mentions another CVE.

Summary: keepass new security issue CVE-2023-32784 => keepass new security issues CVE-2023-24055 and CVE-2023-32784

Comment 3 David GEIGER 2023-06-17 19:12:06 CEST
Done for Cauldron and mga8!

Freeze_move requested for Cauldron.
Comment 4 David GEIGER 2023-06-17 19:14:35 CEST
Assigning to QA,

Packages in 8/Core/updates_testing:


Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Assignee: geiger.david68210 => qa-bugs
Status comment: Fixed upstream in 2.54 => (none)

David Walser 2023-06-17 19:37:50 CEST

CC: (none) => geiger.david68210

Comment 5 Herman Viaene 2023-06-20 17:05:51 CEST
MGA8-64 MATE on Ace Aspire 5253
No installation issues
Ref bug 31475 and https://nerdymishka.com/articles/keepass-a-beginners-guide-to-password-management/ for testing
I could make a new entry for ww.testaankoop.be (consumers magazine on which i have a user and password) and then tried to follow the instructions from the site, I can open the site in firefox from keepass, but when I do "Perform Auto-type", it types the user/password on the CLI. What am I missing???

CC: (none) => herman.viaene

Comment 6 Brian Rockwell 2023-06-29 19:51:35 CEST
MGA8-64, Plasma

To satisfy dependencies, the following package(s) also need to be installed:

- lib64gdiplus0-6.0.5-1.mga8.x86_64
- lib64xdotool3-3.20160805.1-3.mga8.x86_64
- mono-core-6.10.0-5.mga8.x86_64
- mono-data-6.10.0-5.mga8.x86_64
- mono-data-sqlite-6.10.0-5.mga8.x86_64
- mono-extras-6.10.0-5.mga8.x86_64
- mono-mvc-6.10.0-5.mga8.x86_64
- mono-wcf-6.10.0-5.mga8.x86_64
- mono-web-6.10.0-5.mga8.x86_64
- mono-winforms-6.10.0-5.mga8.x86_64
- xdotool-3.20160805.1-3.mga8.x86_64
- xsel-1.2.0-9.mga8.x86_64

97MB of additional disk space will be used.

I was able to create a new database
Add some entries
close keepas and come back in
Use keypas to open firefox with credentials

Seems to work for me

CC: (none) => brtians1
Whiteboard: (none) => MGA8-64-OK

Comment 7 Thomas Andrews 2023-07-01 14:21:23 CEST
"There is a public PoC and the issue has caught the attention of the press."

Because if this I'm going to send this on based on comment 6. 

Herman, if you believe your problem in comment 5 may be something more than user error due to inexperience, please remove the validation.


Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-07-06 23:00:12 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 8 Mageia Robot 2023-07-07 07:56:33 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.