#1007914 libfile-keepass-perl: crashes "not well-formed (invalid token)" when finding escape characters #1007914
- Package:
- libfile-keepass-perl
- Source:
- libfile-keepass-perl
- Submitter:
- Rhonda D'Vine
- Date:
- 2025-08-16 06:23:02 UTC
- Severity:
- important
- Tags:
Dear Maintainer, I store my passwords in a keepass file that I exclusively use through kpcli. After the last kernel upgrade reboot I was unable to open the file anymore, and thus can't access my passwords. I have an aged backup, and most sites offer password resets, but this is actually a serious data loss. When I try to open the database now I get the following error message: ➤ kpcli --kdb rhonda.kdbx Please provide the master password: ************************* Couldn't load the file rhonda.kdbx: not well-formed (invalid token) at line 3103, column 15, byte 100409 at /usr/lib/x86_64-linux-gnu/perl5/5.34/XML/Parser.pm line 187. So I have somehow the hope that the data isn't lost completely, only that the XML parser is stumbling upon something. I haven't had the nerve yet to dig further into it and try to unpack the whole situation, make kpcli dump what it gives to XML::Parser, that part gives me a bit of a hope because it clearly can decrypt the file in the first place, but it makes it unusable to the "innocent". If you are able to give me any helping hand on those grounds, they would be very much appreciated! Because as it stands I assume this might happen to others, and I'm uncertain if it would have anything to do with specific data stored in some comment or password field or whatever. Thanks in advance, Rhonda
Hi, I managed to find the culprit With A Little Help From My Friends[tm]. I used Data::Dumper before the content got passed to XML::Parser, and it turned out that there is an Escape character (0x1b, ^[) in a comment field. kpcli seems to have accepted this when the comment was pasted and stored it happily, but was unable to re-read the file written with that in it. I'm currently fiddling around to delete that escape character on load time and have kpcli start, allowing me to save it without the escape character, hopefully allowing to re-read it afterwards. I'll keep you posted, Rhonda
Hi, $buffer =~ s/\e//g; .. this was all that was needed to fix my mess. Though, kpcli for obvious reasons shouldn't be able to write broken data it can't read again, so I keep seeing this as a severe bug in the code which can lead to data loss for people who aren't familiar enough with perl or who don't have friends who support them to dig down the issue. The above line was a quick fix for my case, I'm uncertain if it might appear to others in other ways, but this clearly goes against the principle of robustness. Upstream is at 3.6 in the meantime, I'm willing to update it now that I digged a bit further into it. If I don't hear back in the next few days I propose an NMU for it, as thanks for having it around in the first place. :) Enjoy, Rhonda [happy again] * Rhonda D'Vine <rhonda@deb.at> [2022-03-08 16:19:46 CET]:
Hi Rhonda, I am happy that you found and fixed your problem. I suspect, however, that the code that you changed was not actually kpcli code but, instead, File::KeePass code -- the module that kpcli uses to read and write keepass files. https://metacpan.org/pod/File::KeePass Can you confirm that I am correct about that? Thanks,
Yes indeed, i had to fix it through the module. Sorry that I wasn't clear on that part. Likely this should be changed to be a bug in the module interface since the frontend shouldn't have to know too much about what's allowed or not in the fields, the module should give the frontend error messages accordingly, but I hadn't had the time to look up if that's possible to differentiate. Thanks for asking for clarification, Rhonda Am 8. März 2022 16:47:41 MEZ schrieb Lester Hightower <lester.hightower@gmail.com>:
Hi Rhonda, Am 08.03.22 um 16:31 schrieb Rhonda D'Vine: please feel free to do, and go ahead. Feel free to add yourself as a maintainer/uploader if you wish. ;-) The issue has been properly reassigned in the meantime. Thanks for that Lester.
* Arno Töll <arno@debian.org> [2022-03-17 14:07:02 CET]: Do you have a copy of the git repository you used still around? It never seems to have been moved to salsa, and I for obvious reasons would work based on what's there already. :) It actually hasn't been reassigned but closed I noticed, and I'm also not so convinced to call it only a minor issue, because as I explained, I managed to fix it because I know my way around the code, but that's not something to expect from regular users. I will be looking into filing this with the upstream tracker though. So long, Rhonda
Rhonda, Please note that marking this bug as "grave" queued kpcli for autoremoval from Debian testing: kpcli 3.1-3.1 is marked for autoremoval from testing on 2022-04-06 https://salsa.debian.org/qa/udd/-/blob/master/udd/testing_autoremovals_gatherer.pl Receiving that notice is what made me act yesterday.
clone 1006917 -1 reassign -1 libfile-keepass-perl retitle -1 libfile-keepass-perl: crashes "not well-formed (invalid token)" when finding escape characters severity -1 important thanks Hey, Am 18.03.22 um 12:02 schrieb Rhonda D'Vine: Alioth's archive of the repository is at https://alioth-archive.debian.org/git/collab-maint/kpcli.git.tar.xz. That allows for bare import, including git history into salsa. Unfortunately I don't have a lot of time for Debian these days, sorry about that. How about duplicating the issue and reassigning one to libfile-keepass-perl? I'm not sure about the priority, but something below RC might do for that. I did so as per this mail.
Hi, * Lester Hightower <lester.hightower@gmail.com> [2022-03-18 16:12:45 CET]: Pasting data into the comment field of an entry is nothing I would anywhere closely consider esoteric, rather the opposite. And that a tool would write data out that it couldn't read back in is something that is utterly confusing, to say the least, and a clear bug that is not just annoying but can impact people's access. That it was easy to fix doesn't reduce the impact of the issue. This is where you are clearly wrong. I tried opening the file with other keepass tools, and it boiled down to the same issue: There was data in the XML that weren't valid, and thus couldn't get parsed by any keepass tool. Please don't try to reason with things that aren't the case. Rhonda
Hi Perl team, today bug #1007914 libfile-keepass-perl came up as Bug of the Day[1]. As far as I'm informed the Uploader Jonas Genannt is not active currently and we should care as a team for this bug. In contrast to all other Perl packages it seems the package was not migrated to Salsa yet (for whatever reason). Moreover I realised that the old Alioth archive[2] was cleaned up somehow and does not contain the old repositories any more. Before I start working on the package I would like to ask around whether someone might be able to restore the old repository to keep the packaging history. If this is not possible I can recreate a repository using `gbp import-dscs`. I also need help to fix the actual issue reported in bug #1007914 since my Perl skills are extremely limited. If someone would be able to provide a patch (either to BTS or to Git once we restored the repository) this would be extremely helpful. Kind regards Andreas. [1] https://salsa.debian.org/qa/tiny_qa_tools/-/wikis/Tiny-QA-tasks#bug-of-the-day [2] https://alioth-archive.debian.org/git/pkg-perl/
Hi Andreas, https://salsa.debian.org/perl-team/modules/packages/libfile-keepass-perl Cheers, Alex
Hi ALex,
Am Sat, Jul 26, 2025 at 11:58:34AM +0200 schrieb Alex Muntada:
Sorry, seems it was to early this morning when I checked. ;-)
I added myself to Uploaders to possibly upload this package.
Any comment about bug #1007914?
Kind regards
Andreas .
-=| Andreas Tille, 26.07.2025 15:29:28 +0200 |=-
I think the problem is on line 1248 of lib/File/KeePass.pm:
s/([^\x00-\x7F])/''.(ord $1).';'/ge;
It replaces all non-ASCII characters with <ord>;.
Notably, this does not affect any controll characters like the escape
character (which is a perfectly valid ASCII character, just not
allowed in XML). It would also not work for vertical tab, nul and all
sorts of other funny characters.
Changing that to
s/([^\x20-\x7F])/''.(ord $1).';'/ge;
would fix the problem.
Or at least I think so. With no way to replicate the issue, I am just
poking blindly here.
Hello, Bug #1007914 in libfile-keepass-perl reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/perl-team/modules/packages/libfile-keepass-perl/-/commit/ae5aff98ac252def920e221a6de6aed7abf81b6b (this message was generated automatically) -- Greetings https://bugs.debian.org/1007914
Hi Damyan,
Am Sat, Jul 26, 2025 at 05:51:17PM +0300 schrieb Damyan Ivanov:
Thanks a lot. I've pushed the change to Git[1].
@Rhonda: Could you give the patch a try? If it helps I can upload to
experimental closing the bug and you can reopen if needed.
Kind regards
Andreas.
[1] https://salsa.debian.org/perl-team/modules/packages/libfile-keepass-perl/-/commit/ae5aff98ac252def920e221a6de6aed7abf81b6b
We believe that the bug you reported is fixed in the latest version of
libfile-keepass-perl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1007914@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Tille <tille@debian.org> (supplier of updated libfile-keepass-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sat, 16 Aug 2025 07:54:35 +0200
Source: libfile-keepass-perl
Architecture: source
Version: 2.03-2
Distribution: unstable
Urgency: low
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Andreas Tille <tille@debian.org>
Closes: 1007914
Changes:
libfile-keepass-perl (2.03-2) unstable; urgency=low
.
[ Salvatore Bonaccorso ]
* Change search.cpan.org based URIs to metacpan.org based URIs
* Update Vcs-* headers for switch to salsa.debian.org
.
[ gregor herrmann ]
* Strip trailing slash from metacpan URLs.
* debian/copyright: change Copyright-Format 1.0 URL to HTTPS.
* debian/watch: use uscan version 4.
.
[ Alex Muntada ]
* Remove inactive pkg-perl members from Uploaders.
.
[ Debian Janitor ]
* Bump debhelper from deprecated 8 to 13.
* Set debhelper-compat version in Build-Depends.
.
[ Andreas Tille ]
* Standards-Version: 4.7.2 (routine-update)
* Add myself to Uploaders
.
[ Damyan Ivanov ]
* Fix replacement of control characters
Closes: #1007914
Checksums-Sha1:
18f3ea44766985bf51d018ccb2ac1afe8af5f90a 2192 libfile-keepass-perl_2.03-2.dsc
091b876a6b6e6e940b1789757e926de2bea90607 2228 libfile-keepass-perl_2.03-2.debian.tar.xz
0a64e0aa237bc5476d3e313d2e79360bbd4278c4 6798 libfile-keepass-perl_2.03-2_amd64.buildinfo
Checksums-Sha256:
bdc5ca5564bd5ad871b57226edf3fa48d66dbe638d38ff7eeb031bab29ad411f 2192 libfile-keepass-perl_2.03-2.dsc
18444a361b4335a641542abcebbeab38071ccafa41e6dfb28bd498f363edf438 2228 libfile-keepass-perl_2.03-2.debian.tar.xz
a267673d3b00a1cccec24840751f7adaccbd6c4aa5671aeea5c67a887092ada9 6798 libfile-keepass-perl_2.03-2_amd64.buildinfo
Files:
5af9ed4e1c7e0989693005a9f378feb3 2192 perl optional libfile-keepass-perl_2.03-2.dsc
8b6a78bcaf524bd217d3439b5779b3d9 2228 perl optional libfile-keepass-perl_2.03-2.debian.tar.xz
23ce1b9e3392f9227d0f64ca66f29e3e 6798 perl optional libfile-keepass-perl_2.03-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEE8fAHMgoDVUHwpmPKV4oElNHGRtEFAmigHY4RHHRpbGxlQGRl
Ymlhbi5vcmcACgkQV4oElNHGRtE4CQ/+MtQyy1VnY0z65rcp4Tavle/y+RibzFj9
n3Czr0p8SwTdzyFuGlGY1O9XCdmA/Yp7RU+aX9yWKMib3l8t4Y4ho5mRw+GHQMWX
ivg1woNR4Y5P9UuR4n8YzNf4U1e16zbh3j8Ihce8Ulq+WqSr+gXP8WKtBfuyZYRj
eUCAqWFrYxspm2CcEJsA+VMDMZLvuTnY0qdFxKJW5a1WDVy9xaPwWM/ZmKY40N0q
oIfgazs9cfBOrYouwDMwSa23UfSKxhfqhBgV6H8NzJIvSLEUNLUWvwb6VwT8yunl
aFE2l9JRruN3Bjnm9kDyiT1GvvyiwHXc01U9piBzvhbOrZC7e8CV4USf3SpJgwh6
5/E1M0tKqJbOBea1fQDbyVOUndyXh9JM0dTp5v3HO2torEndwnoi/hIz1JLNg6rV
8Ag5130xjA5qPC1GqKx+i+E++YMtsMlAIezp/kMDRIC3wjUXTjdpDpcqHJFHnZ90
cjesUAnWhVm21VFpmoxoxfTD/K2bEIjNEQppaoO/Fj3nGZEYyl/pcrHSqLhiUS7T
zUQM+PdDY+Z8tOy/7aJ66qLEja3M5JM8QSEPtql4paPAZyth/If2GYPPNcEg7M+a
CU+XXVc32qua5ax/uZMAEJo7q9Tn2HRtX/G9GOy65N2VxMhhVrER92RhGlxAFbUa
Ng892plUtrE=
=EmJK
-----END PGP SIGNATURE-----