Debian Bug report logs -
#791858
keepassx: CVE-2015-8378: canceling export operation creates cleartext copy of all of the user's KeePassX password database entries
Reported by: "m.lindt" <lindt@statsbot.de>
Date: Wed, 8 Jul 2015 21:15:01 UTC
Severity: grave
Tags: security, upstream
Found in version keepassx/0.4.3+dfsg-0.1
Fixed in versions keepassx/0.4.3+dfsg-1, keepassx/0.4.3+dfsg-0.1+deb8u1, keepassx/2.0-1
Done: Reinhard Tartler <siretart@tauware.de>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Reinhard Tartler <siretart@tauware.de>:
Bug#791858; Package keepassx.
(Wed, 08 Jul 2015 21:15:05 GMT) (full text, mbox, link).
Acknowledgement sent
to "m.lindt" <lindt@statsbot.de>:
New Bug report received and forwarded. Copy sent to Reinhard Tartler <siretart@tauware.de>.
(Wed, 08 Jul 2015 21:15:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: keepassx
Version: 0.4.3+dfsg-0.1
Severity: important
Tags: newcomer
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation?
Klick on file/export_to/KeepassX XML-File
* What exactly did you do (or not do) that was effective (or
ineffective)?
Test and check the functions on keepass. This will be save an invisivle .xml
file in your home directory.
* What was the outcome of this action?
The Passwortlist is accessible in plaintext
* What outcome did you expect instead?
This effekt is also in my arch / manjaro-linux-package of keepassx
Thanks for help Hopefully! :-)
-- System Information:
Debian Release: 8.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages keepassx depends on:
ii libc6 2.19-18
ii libgcc1 1:4.9.2-10
ii libqt4-xml 4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1
ii libqtcore4 4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1
ii libqtgui4 4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1
ii libstdc++6 4.9.2-10
ii libx11-6 2:1.6.2-3
ii libxtst6 2:1.2.2-1+b1
keepassx recommends no packages.
keepassx suggests no packages.
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org, Reinhard Tartler <siretart@tauware.de>:
Bug#791858; Package keepassx.
(Mon, 30 Nov 2015 06:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Henrik Ahlgren <pablo@seestieto.com>:
Extra info received and forwarded to list. Copy sent to Reinhard Tartler <siretart@tauware.de>.
(Mon, 30 Nov 2015 06:27:04 GMT) (full text, mbox, link).
Message #10 received at 791858@bugs.debian.org (full text, mbox, reply):
severity 791858 grave
tags 791858 security
thanks
How come this bug has not been marked as a pretty severe security issue?
Just accessing a menu item, but canceling the export operation by
hitting Esc or clicking Cancel silently creates a hidden (dotfile)
cleartext copy of all of the user's KeePassX password database entries
in the user's home directory. This may go unnoticed by the user for
years, while countless copies of the file propagate to backups etc.,
and with Debian's default umask, the file is even world-readable in
multiuser machines.
Severity set to 'grave' from 'important'
Request was from Henrik Ahlgren <pablo@seestieto.com>
to control@bugs.debian.org.
(Mon, 30 Nov 2015 06:33:06 GMT) (full text, mbox, link).
Added tag(s) security.
Request was from Henrik Ahlgren <pablo@seestieto.com>
to control@bugs.debian.org.
(Mon, 30 Nov 2015 06:33:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Reinhard Tartler <siretart@tauware.de>:
Bug#791858; Package keepassx.
(Mon, 30 Nov 2015 12:51:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Henrik Ahlgren <pablo@seestieto.com>:
Extra info received and forwarded to list. Copy sent to Reinhard Tartler <siretart@tauware.de>.
(Mon, 30 Nov 2015 12:51:07 GMT) (full text, mbox, link).
Message #19 received at 791858@bugs.debian.org (full text, mbox, reply):
This issue seems to only affect export to XML. Export to text file
defaults to "All Files" in the file selection dialog, where XML
defaults to *.xml. Otherwise the source code looks pretty similar for
both:
Export_KeePassX_Xml.cpp:
bool Export_KeePassX_Xml::exportDatabase(QWidget* GuiParent,IDatabase* database){
db=database;
QFile *file=openFile(GuiParent,identifier(),QStringList()<<tr("XML Files (*.xml)") << tr("All Files (*)"));
if(!file)return false;
Export_Txt.cpp:
bool Export_Txt::exportDatabase(QWidget* GuiParent, IDatabase* db){
QFile *file=openFile(GuiParent,identifier(),QStringList()<<tr("All Files (*)") << tr("Text Files (*.txt)"));
if(!file)return false;
Unfortunately I don't have the Qt skills to debug this further.
Changed Bug title to 'keepassx: canceling export operation creates cleartext copy of all of the user's KeePassX password database entries' from 'keepassx: Bug in exportmenu'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 30 Nov 2015 20:45:08 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 30 Nov 2015 20:45:09 GMT) (full text, mbox, link).
Removed tag(s) newcomer.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 01 Dec 2015 05:27:04 GMT) (full text, mbox, link).
Changed Bug title to 'keepassx: CVE-2015-8378: canceling export operation creates cleartext copy of all of the user's KeePassX password database entries' from 'keepassx: canceling export operation creates cleartext copy of all of the user's KeePassX password database entries'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 01 Dec 2015 05:27:05 GMT) (full text, mbox, link).
Reply sent
to Reinhard Tartler <siretart@tauware.de>:
You have taken responsibility.
(Fri, 04 Dec 2015 04:27:04 GMT) (full text, mbox, link).
Notification sent
to "m.lindt" <lindt@statsbot.de>:
Bug acknowledged by developer.
(Fri, 04 Dec 2015 04:27:04 GMT) (full text, mbox, link).
Message #32 received at 791858-close@bugs.debian.org (full text, mbox, reply):
Source: keepassx
Source-Version: 0.4.3+dfsg-1
We believe that the bug you reported is fixed in the latest version of
keepassx, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 791858@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Reinhard Tartler <siretart@tauware.de> (supplier of updated keepassx package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 03 Dec 2015 22:02:42 -0500
Source: keepassx
Binary: keepassx
Architecture: source amd64
Version: 0.4.3+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Reinhard Tartler <siretart@debian.org>
Changed-By: Reinhard Tartler <siretart@tauware.de>
Description:
keepassx - Cross Platform Password Manager
Closes: 698832 791858
Changes:
keepassx (0.4.3+dfsg-1) unstable; urgency=medium
.
* Acknowledge NMU, many thanks for helping out! (Closes: #698832)
* Add patch that fixes CVE-2015-8378 (Closes: #791858)
Checksums-Sha1:
2cdc3bf567bb023f4917a44107f2f3cd9025fc93 1766 keepassx_0.4.3+dfsg-1.dsc
2ab50a956311997c39a02d316f59cdebd1e843d9 12540 keepassx_0.4.3+dfsg-1.debian.tar.xz
a9238479248ae413baf940c526a838c67d934368 753416 keepassx_0.4.3+dfsg-1_amd64.deb
Checksums-Sha256:
588f2a8b29c3ce88dae324bfc23a042f2681dcf58d5d02455139cac38a0cee6c 1766 keepassx_0.4.3+dfsg-1.dsc
3169e47096b55ddd94d90c4db202e99be09d8204d4c10e5df2d601d0e7c7666e 12540 keepassx_0.4.3+dfsg-1.debian.tar.xz
cf309cd0be58a050bccc7cd6625232952497c2464af094d3191fcc393533857c 753416 keepassx_0.4.3+dfsg-1_amd64.deb
Files:
62c1a28b11046a8a87228f92002b00d5 1766 utils optional keepassx_0.4.3+dfsg-1.dsc
25ea7ea492f32f1578b6c0f7dd875ef0 12540 utils optional keepassx_0.4.3+dfsg-1.debian.tar.xz
118e5b5ce1e2103727ac35b77b462b3c 753416 utils optional keepassx_0.4.3+dfsg-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQGcBAEBCAAGBQJWYQe1AAoJEIuAbIZKeKRF6AsMAJOZv4zEBmHtnraDal4/hnzX
OGq4jtD1rz/iVlMeoXDarQ7nEpywkrm3ZCwZf7+oiUXqe6KgJtE42f54z3WPNCay
Glets6zbPuD51VkfqkYNSuaqzIX3fS1K3Tn4I6HUZkic5aeuGPI0wuU6fK7QiJti
tiEgCIWwteB1AVjfEgPyqDkNI5VU5Tq1YvBCc+P7P4WIGVOXvHQ0GACGhaen/PpR
P3zkJBeuwAEXLxfPIV1TQck20NUx21zRsdzi64+xARCbOghiNxBX7iQgQJIWMPqA
Ob4x0/sXtIk+FBKvDeH/TDG6RsZ/JnRBEs983DB5ndvrK/q7rXwO+TL1K+M/74T5
i2oumgdOmjFB+5bc+E2ii8bXn7xYIxSMTsfxzTycTJlLYV+WAxJW0upvZvRcYh5z
NiM6OC+ry+5fznUas0couCGJNfKG7GeR9o45z4BofWGNkIEcCFQvUXU/fBJiAUih
kzgWJ9nJ1qb35dXwSyEkUt4p1k9V6cc7XSdjKvs3sA==
=RDa0
-----END PGP SIGNATURE-----
Reply sent
to Reinhard Tartler <siretart@tauware.de>:
You have taken responsibility.
(Mon, 07 Dec 2015 21:51:07 GMT) (full text, mbox, link).
Notification sent
to "m.lindt" <lindt@statsbot.de>:
Bug acknowledged by developer.
(Mon, 07 Dec 2015 21:51:07 GMT) (full text, mbox, link).
Message #37 received at 791858-close@bugs.debian.org (full text, mbox, reply):
Source: keepassx
Source-Version: 0.4.3+dfsg-0.1+deb8u1
We believe that the bug you reported is fixed in the latest version of
keepassx, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 791858@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Reinhard Tartler <siretart@tauware.de> (supplier of updated keepassx package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 05 Dec 2015 13:15:11 -0500
Source: keepassx
Binary: keepassx
Architecture: source amd64
Version: 0.4.3+dfsg-0.1+deb8u1
Distribution: jessie
Urgency: medium
Maintainer: Reinhard Tartler <siretart@debian.org>
Changed-By: Reinhard Tartler <siretart@tauware.de>
Description:
keepassx - Cross Platform Password Manager
Closes: 791858
Changes:
keepassx (0.4.3+dfsg-0.1+deb8u1) jessie; urgency=medium
.
* Add patch that fixes CVE-2015-8378 (Closes: #791858)
Checksums-Sha1:
136e0cbda11f93c331285e51a32c3377ea6fef84 1825 keepassx_0.4.3+dfsg-0.1+deb8u1.dsc
0425698eec90dc967b322662e53f0c11104040cd 12532 keepassx_0.4.3+dfsg-0.1+deb8u1.debian.tar.xz
fdd8eeb6c4a8187fe303e5d30e0c2111c9831cf8 749354 keepassx_0.4.3+dfsg-0.1+deb8u1_amd64.deb
Checksums-Sha256:
b4e45bf7c0073aa8f63d836f6609ec6b1bdad8f4b5fa7e316e371491b2d2262c 1825 keepassx_0.4.3+dfsg-0.1+deb8u1.dsc
2ed1be589b8ed76586b87cfc0de8835e088bbd5466739a3df1784c821d17c9f5 12532 keepassx_0.4.3+dfsg-0.1+deb8u1.debian.tar.xz
d6037acc1b3e4b134cd2707ab7fec85c24b01f68b0655e06f9fc9907a887447b 749354 keepassx_0.4.3+dfsg-0.1+deb8u1_amd64.deb
Files:
4efaf78ea4223104b79559878ee19779 1825 utils optional keepassx_0.4.3+dfsg-0.1+deb8u1.dsc
0f6e9240fcef9b7ec478e7b979f695fd 12532 utils optional keepassx_0.4.3+dfsg-0.1+deb8u1.debian.tar.xz
dbb363054bf18cdbc0439a3c07c6e204 749354 utils optional keepassx_0.4.3+dfsg-0.1+deb8u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Debian Powered!
iQGcBAEBAgAGBQJWZNFnAAoJEIuAbIZKeKRFAswMALBoW4g2rH3eJYD6MYkZPuH+
5f1SxOjwVOqHFapWDLb1XtmiegyrzAaqOZtJsmCq8vDqPyydoK04ylfej1ffalCp
NMECG2cYjCGAE4QGB5AD+Jz/TefK+hHaTpgts903FPq8G/+zIsJRp4N1A1HkS+a0
wcPuB6gIL9/iMshRLn4h+TckjmB13ouC55CX7Ifw2zdfMlaDtg/i1KprR2IhDnwT
VyHPpHVFv+4NmzjL0K72lChzknTIKPxVmbpyOlA93l18qIBss739BWbch8O77wRi
fpxTYwj53lZQKVXDuBJdaN+zfFAMvZU8XdqbqyWrYjMzrx0GqRaLU8r7WijaVIAs
Z/S20CHxDQZySaSpHqpR6v/MSv+T0S94L3Gv2542A5b6GuXu8Hh4Mo5SFAcJpRAb
cdZNcqq4JNilbXYEzAUNSztD2xlb6aDne5LAsAy2oYyhptisCsgAvI2BJyiSOwT2
UJoox35See2YM95pqFKiF3iZNouKa1a25W30FsWktQ==
=va1u
-----END PGP SIGNATURE-----
Reply sent
to Reinhard Tartler <siretart@tauware.de>:
You have taken responsibility.
(Mon, 11 Jan 2016 11:57:25 GMT) (full text, mbox, link).
Notification sent
to "m.lindt" <lindt@statsbot.de>:
Bug acknowledged by developer.
(Mon, 11 Jan 2016 11:57:25 GMT) (full text, mbox, link).
Message #42 received at 791858-close@bugs.debian.org (full text, mbox, reply):
Source: keepassx
Source-Version: 2.0-1
We believe that the bug you reported is fixed in the latest version of
keepassx, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 791858@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Reinhard Tartler <siretart@tauware.de> (supplier of updated keepassx package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 09 Jan 2016 19:24:30 -0500
Source: keepassx
Binary: keepassx
Architecture: source
Version: 2.0-1
Distribution: unstable
Urgency: medium
Maintainer: Reinhard Tartler <siretart@tauware.de>
Changed-By: Reinhard Tartler <siretart@tauware.de>
Description:
keepassx - Cross Platform Password Manager
Closes: 645499 685533 707634 714357 763083 791858
Changes:
keepassx (2.0-1) unstable; urgency=medium
.
* New upstream release. (Closes: #707634)
- Completely rewritten compared to 0.x series
(closes: #707634, #685533, #714357, #763083, #791858)
- pronouncable password generator has been dropped (closes: #645499)
Checksums-Sha1:
953e73dfcfc250492c562a0dde3b25557011b17c 1720 keepassx_2.0-1.dsc
e5dc2e55c9ec22a769abac177f2c3b6dfb0a315c 1524638 keepassx_2.0.orig.tar.gz
166c4f8a63562681d83aa3c55eaf2fc5627a8ba8 9628 keepassx_2.0-1.debian.tar.xz
Checksums-Sha256:
195ff6867a3726e07dc0aba24c018dd9e3e366419e8bca7c1ff6d47ba27d7fc9 1720 keepassx_2.0-1.dsc
0eb40fac3a44d8283dfc1ee28cc6de5c660b22ab975472de82c2b04675c822e6 1524638 keepassx_2.0.orig.tar.gz
a6661cccfd97f7cf5754d3c2f1316aa63195d8aae4b3201ef362df6c11030252 9628 keepassx_2.0-1.debian.tar.xz
Files:
44048d763ec6bb6a88939b824be7982a 1720 utils optional keepassx_2.0-1.dsc
ded7db880d07cd1e5f7bd5bf3cc8c0f4 1524638 utils optional keepassx_2.0.orig.tar.gz
868904eb1622c1c4c25e9f9ce4921cfc 9628 utils optional keepassx_2.0-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQGcBAEBCAAGBQJWk5PlAAoJEIuAbIZKeKRFNFsMALOJb47mpbA+0WFtsiVlx2D/
Co8587I8k4d+kIfQjil7mPQTG33NCRQMv75LHaNDkv1sVCLxXOJyRRImHl68kDpU
BtC02LT6L9GOSIQf6DCpXQiSAss80GxJGFPh4Fumd6OWmYq/HEhkWM/E8yWXxBEp
tE8EqpaBIdan6/6kDCaBI0tu64rqwkhU7V9fYfEEPKkC0RtcMrnvrVOtXTFtK5tT
aeyKtyn15RB2r5QV9ibH+lgkt4Gw5WmHz8+a6KmnEc8CiljWZvg+vYryDiAenG3C
QfneD1AC3PULF9FUI/nP+T9G4LoFQ34+Ji3trANUUwVhYbUr6zqajUlNswX9pBu+
2RQQ72xfBSZ9NY6/zE6GYMU+XOBSK7IEhfQcXu4c8w2EX4K+bEQKYd4W2dhN188h
ODwKLXZTtILxaGJsHSV1dqfR4zyTo9IpgMJwQNrPwYqUOjiIEUIW61+F8JuqJ/0e
mDNew7+99/TX4+l/hCHWjs5fUwTxHiclds36CtxRNQ==
=zHcd
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 09 Feb 2016 07:33:22 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:02:58 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon