Stay Secure with the Latest Linux Advisories

security advisoryinformation disclosuremedium

Arch Linux 201512-8 Medium: Keepassx Information Disclosure

The package keepassx before version 0.4.4-1 is vulnerable to information disclosure via unintended export of plaintext credentials. . Arch Linux Security Advisory ASA-201512-8 ======================================== Severity: Medium Date : 2015-12-10 CVE-ID : CVE-2015-8378 Package : keepassx Type : information disclosure Remote : No Link : https://wiki.archlinux.org/title/CVE Summary ====== The package keepassx before version 0.4.4-1 is vulnerable to information disclosure via unintended export of plaintext credentials. Resolution ========= Upgrade to 0.4.4-1. # pacman -Syu "keepassx> =0.4.4-1" The problem has been fixed upstream in version 0.4.4. Workaround ========= None. Description ========== It was found that XML export function creates hidden XML file containing user passwords in plaintext without warning, when the export is canceled, which may go unnoticed by the user. In this case the password database was exported as the file “.xml” in the current working directory (often $HOME or the directory of the database) and is world readable. Impact ===== A local attacker can get access to secret plaintext credentials via an unintentionally exported world readable password database. References ========= https://access.redhat.com/security/cve/CVE-2015-8378 . Debian security report concerning gedit highlights a moderate severity vulnerability allowing potential data leakage through unencrypted file saves.. Keepassx Security, Arch Linux Advisory, Information Leak. . LinuxSecurity.com Team

Dec 10, 2015 ArchLinux