Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1008022: keepass2: CVE-2022-0725 information disclosure
25 views
Skip to first unread message
Markus Koschany
Mar 20, 2022, 1:30:04 PM3/20/22
to
Package: keepass2
X-Debbugs-CC: te...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for keepass2.
CVE-2022-0725[0]:
| A flaw was found in KeePass. The vulnerability occurs due to logging
| the plain text passwords in the system log and leads to an Information
| Exposure vulnerability. This flaw allows an attacker to interact and
| read sensitive passwords and logs.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-0725
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0725
Please adjust the affected versions in the BTS as needed.
Steps to reproduce the problem (according
to https://bugzilla.redhat.com/show_bug.cgi?id=2052696)
Step 1: Run "journalctl -f" in a terminal window.
Step 2: Double click a password in KeePass.
Step 3: Wait for the clear timeout to trigger.
Actual results:
See your plain text password logged in the terminal window
Expected results:
Never see your plain text password logged anywhere
Only users in the systemd-journal group can use journalctl. At the moment I
can't reproduce the problem on a custom XFCE system but I have not tried GNOME
or other desktop environments yet and I suspect this problem is not limited to
RedHat or Fedora.
Regards,
Markus
X-Debbugs-CC: te...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for keepass2.
CVE-2022-0725[0]:
| A flaw was found in KeePass. The vulnerability occurs due to logging
| the plain text passwords in the system log and leads to an Information
| Exposure vulnerability. This flaw allows an attacker to interact and
| read sensitive passwords and logs.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-0725
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0725
Please adjust the affected versions in the BTS as needed.
Steps to reproduce the problem (according
to https://bugzilla.redhat.com/show_bug.cgi?id=2052696)
Step 1: Run "journalctl -f" in a terminal window.
Step 2: Double click a password in KeePass.
Step 3: Wait for the clear timeout to trigger.
Actual results:
See your plain text password logged in the terminal window
Expected results:
Never see your plain text password logged anywhere
Only users in the systemd-journal group can use journalctl. At the moment I
can't reproduce the problem on a custom XFCE system but I have not tried GNOME
or other desktop environments yet and I suspect this problem is not limited to
RedHat or Fedora.
Regards,
Markus
Enrico Zini
Jun 24, 2022, 11:30:03 AM6/24/22
to
On Sun, Mar 20, 2022 at 06:16:41PM +0100, Markus Koschany wrote:
> Steps to reproduce the problem (according
> to https://bugzilla.redhat.com/show_bug.cgi?id=2052696)
>
> Step 1: Run "journalctl -f" in a terminal window.
> Step 2: Double click a password in KeePass.
> Step 3: Wait for the clear timeout to trigger.
>
> Actual results:
> See your plain text password logged in the terminal window
>
> Expected results:
> Never see your plain text password logged anywhere
>
> Only users in the systemd-journal group can use journalctl. At the moment I
> can't reproduce the problem on a custom XFCE system but I have not tried GNOME
> or other desktop environments yet and I suspect this problem is not limited to
> RedHat or Fedora.
I failed to reproduce this on Gnome on a freshly installed buster
> Steps to reproduce the problem (according
> to https://bugzilla.redhat.com/show_bug.cgi?id=2052696)
>
> Step 1: Run "journalctl -f" in a terminal window.
> Step 2: Double click a password in KeePass.
> Step 3: Wait for the clear timeout to trigger.
>
> Actual results:
> See your plain text password logged in the terminal window
>
> Expected results:
> Never see your plain text password logged anywhere
>
> Only users in the systemd-journal group can use journalctl. At the moment I
> can't reproduce the problem on a custom XFCE system but I have not tried GNOME
> or other desktop environments yet and I suspect this problem is not limited to
> RedHat or Fedora.
system.
I failed to reproduce this on Gnome on a freshly installed bullseye
system with wayland.
Also on bullseye:
- I tried to install all the clipboard managers I could find in apt
(clipit clipman copyq diodon gnome-shell-extension-gpaste parcellite
qlipper xsel) and I still couldn't reproduce.
- I ran keepass2 in a terminal, and it did not produce output.
- I ran keepass2 from Gnome Shell, and I keep seeing nothing in logs.
In RedHat's bugzilla at https://bugzilla.redhat.com/show_bug.cgi?id=2053688
they also failed to reproduce it. At this point, the only reproducers
are in the two threads in the keepass discussion forum.
In https://sourceforge.net/p/keepass/discussion/329220/thread/da7546b7e1/
Paul tried to reproduce it, too, and also failed.
At this point I would suspect that something else was at play in the
users' systems, independent from keepass2.
Enrico
--
GPG key: 4096R/634F4BD1E7AD5568 2009-05-08 Enrico Zini <enr...@enricozini.org>
0 new messages