Bug 205105 - security/keepassx: address information disclosure vulnerability (CVE-2015-8378)
Summary: security/keepassx: address information disclosure vulnerability (CVE-2015-8378)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Steve Wills
URL: http://www.openwall.com/lists/oss-sec...
Keywords: patch, patch-ready, security
Depends on:
Blocks:
 
Reported: 2015-12-08 00:26 UTC by Jason Unovitch
Modified: 2015-12-23 20:28 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (swills)
junovitch: merge-quarterly+


Attachments
KeePassX-04.4.patch (1.26 KB, patch)
2015-12-11 01:35 UTC, Jason Unovitch
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 commit-hook freebsd_committer 2015-12-08 00:28:56 UTC
A commit references this bug:

Author: junovitch
Date: Tue Dec  8 00:28:48 UTC 2015
New revision: 403244
URL: https://svnweb.freebsd.org/changeset/ports/403244

Log:
  Document information disclosure in KeePassX

  PR:		205105
  Security:	CVE-2015-8378
  Security:	https://vuxml.FreeBSD.org/freebsd/918a5d1f-9d40-11e5-8f5c-002590263bf5.html

Changes:
  head/security/vuxml/vuln.xml
Comment 2 Jason Unovitch freebsd_committer 2015-12-08 00:29:52 UTC
Documented as 0.4.4 at this time and I'm moving on to the next issue to research.  We can fix it to 0.4.3_2 if we import the patch.
Comment 3 Jason Unovitch freebsd_committer 2015-12-11 01:35:07 UTC
Created attachment 164097 [details]
KeePassX-04.4.patch

Steve,
It hasn't hit the SF mirrors but I appended the upstream page after the SF MASTER_SITES.

I also added desktop-file-utils to address this QA issue noted in Poudriere.
Warning: you need USES=desktop-file-utils

I've only checked 11.0 i386 Poudriere so far and the rest of the builds will go overnight with dependencies.  You are more than welcome to take for yourself or drop an 'Approved by:' assuming my overnight builds look good.
Comment 4 Jason Unovitch freebsd_committer 2015-12-11 23:09:53 UTC
Poudriere clean on:
9.3-RELEASE-p30      amd64
9.3-RELEASE-p30      i386
10.1-RELEASE-p24     amd64
10.1-RELEASE-p24     i386
11.0-CURRENT r291793 amd64
11.0-CURRENT r291793 i386

Adding 'patch-ready'
Comment 5 commit-hook freebsd_committer 2015-12-23 00:23:09 UTC
A commit references this bug:

Author: junovitch
Date: Wed Dec 23 00:22:31 UTC 2015
New revision: 404271
URL: https://svnweb.freebsd.org/changeset/ports/404271

Log:
  security/keepassx: update 0.4.3 -> 0.4.4

  - Update MASTER_SITES. Upstream no longer uses SVN or SourceForge
    infrastructure. See http://sourceforge.net/p/keepassx/code/387/
  - USES: Add desktop-file-utils

  PR:		205105
  Approved by:	maintainer timeout (2 weeks)
  Security:	CVE-2015-8378
  Security:	https://vuxml.FreeBSD.org/freebsd/918a5d1f-9d40-11e5-8f5c-002590263bf5.html
  MFH:		2015Q4

Changes:
  head/security/keepassx/Makefile
  head/security/keepassx/distinfo
Comment 6 commit-hook freebsd_committer 2015-12-23 20:20:17 UTC
A commit references this bug:

Author: junovitch
Date: Wed Dec 23 20:19:51 UTC 2015
New revision: 404318
URL: https://svnweb.freebsd.org/changeset/ports/404318

Log:
  MFH: r404271

  security/keepassx: update 0.4.3 -> 0.4.4

  - Update MASTER_SITES. Upstream no longer uses SVN or SourceForge
    infrastructure. See http://sourceforge.net/p/keepassx/code/387/
  - USES: Add desktop-file-utils

  PR:		205105
  Approved by:	maintainer timeout (2 weeks)
  Approved by:	ports-secteam (feld)
  Security:	CVE-2015-8378
  Security:	https://vuxml.FreeBSD.org/freebsd/918a5d1f-9d40-11e5-8f5c-002590263bf5.html

Changes:
_U  branches/2015Q4/
  branches/2015Q4/security/keepassx/Makefile
  branches/2015Q4/security/keepassx/distinfo
Comment 7 Jason Unovitch freebsd_committer 2015-12-23 20:28:12 UTC
Update committed with minor variations from attached patch and merged to quarterly.  As mentioned in the commit message SourceForge is no longer in use so the original MASTER_SITES change in the attached patch was not correct.