#1007914 libfile-keepass-perl: crashes "not well-formed (invalid token)" when finding escape characters

#1007914#5
Date:
2022-03-08 08:07:43 UTC
From:
To:
Dear Maintainer,

I store my passwords in a keepass file that I exclusively use through kpcli.
After the last kernel upgrade reboot I was unable to open the file anymore, and
thus can't access my passwords.  I have an aged backup, and most sites offer
password resets, but this is actually a serious data loss.

When I try to open the database now I get the following error message:

➤ kpcli --kdb rhonda.kdbx
Please provide the master password: *************************
Couldn't load the file rhonda.kdbx:
not well-formed (invalid token) at line 3103, column 15, byte 100409 at /usr/lib/x86_64-linux-gnu/perl5/5.34/XML/Parser.pm line 187.

So I have somehow the hope that the data isn't lost completely, only that the
XML parser is stumbling upon something.  I haven't had the nerve yet to dig
further into it and try to unpack the whole situation, make kpcli dump what it
gives to XML::Parser, that part gives me a bit of a hope because it clearly can
decrypt the file in the first place, but it makes it unusable to the
"innocent".

If you are able to give me any helping hand on those grounds, they would be
very much appreciated! Because as it stands I assume this might happen to
others, and I'm uncertain if it would have anything to do with specific data
stored in some comment or password field or whatever.

Thanks in advance,
Rhonda

#1007914#10
Date:
2022-03-08 15:19:45 UTC
From:
To:
   Hi,

 I managed to find the culprit With A Little Help From My Friends[tm]. I
used Data::Dumper before the content got passed to XML::Parser, and it
turned out that there is an Escape character (0x1b, ^[) in a comment
field.

 kpcli seems to have accepted this when the comment was pasted and
stored it happily, but was unable to re-read the file written with that
in it.

 I'm currently fiddling around to delete that escape character on load
time and have kpcli start, allowing me to save it without the escape
character, hopefully allowing to re-read it afterwards.

 I'll keep you posted,
Rhonda

#1007914#15
Date:
2022-03-08 15:31:55 UTC
From:
To:
  Hi,

$buffer =~ s/\e//g;

 .. this was all that was needed to fix my mess.  Though, kpcli for
obvious reasons shouldn't be able to write broken data it can't read
again, so I keep seeing this as a severe bug in the code which can lead
to data loss for people who aren't familiar enough with perl or who
don't have friends who support them to dig down the issue.

 The above line was a quick fix for my case, I'm uncertain if it might
appear to others in other ways, but this clearly goes against the
principle of robustness.

 Upstream is at 3.6 in the meantime, I'm willing to update it now that I
digged a bit further into it.  If I don't hear back in the next few days
I propose an NMU for it, as thanks for having it around in the first
place. :)

 Enjoy,
Rhonda [happy again]


* Rhonda D'Vine <rhonda@deb.at> [2022-03-08 16:19:46 CET]:

#1007914#20
Date:
2022-03-08 15:47:41 UTC
From:
To:
Hi Rhonda,

I am happy that you found and fixed your problem. I suspect, however, that
the code that you changed was not actually kpcli code but, instead,
File::KeePass code -- the module that kpcli uses to read and write keepass
files. https://metacpan.org/pod/File::KeePass

Can you confirm that I am correct about that?

Thanks,

#1007914#25
Date:
2022-03-08 16:06:06 UTC
From:
To:
Yes indeed, i had to fix it through the module. Sorry that I wasn't clear on that part. Likely this should be changed to be a bug in the module interface since the frontend shouldn't have to know too much about what's allowed or not in the fields, the module should give the frontend error messages accordingly, but I hadn't had the time to look up if that's possible to differentiate.

Thanks for asking for clarification,
Rhonda

Am 8. März 2022 16:47:41 MEZ schrieb Lester Hightower <lester.hightower@gmail.com>:

#1007914#36
Date:
2022-03-17 13:07:02 UTC
From:
To:
Hi Rhonda,

Am 08.03.22 um 16:31 schrieb Rhonda D'Vine:

please feel free to do, and go ahead. Feel free to add yourself as a
maintainer/uploader if you wish. ;-)

The issue has been properly reassigned in the meantime. Thanks for that
Lester.

#1007914#41
Date:
2022-03-18 11:02:47 UTC
From:
To:
* Arno Töll <arno@debian.org> [2022-03-17 14:07:02 CET]:

 Do you have a copy of the git repository you used still around?  It
never seems to have been moved to salsa, and I for obvious reasons would
work based on what's there already. :)

 It actually hasn't been reassigned but closed I noticed, and I'm also
not so convinced to call it only a minor issue, because as I explained,
I managed to fix it because I know my way around the code, but that's
not something to expect from regular users.  I will be looking into
filing this with the upstream tracker though.

 So long,
Rhonda

#1007914#46
Date:
2022-03-18 11:53:30 UTC
From:
To:
Rhonda,

Please note that marking this bug as "grave" queued kpcli for autoremoval
from Debian testing:

kpcli 3.1-3.1 is marked for autoremoval from testing on 2022-04-06

https://salsa.debian.org/qa/udd/-/blob/master/udd/testing_autoremovals_gatherer.pl



Receiving that notice is what made me act yesterday.

#1007914#51
Date:
2022-03-18 13:22:35 UTC
From:
To:
clone 1006917 -1
reassign -1 libfile-keepass-perl
retitle -1 libfile-keepass-perl: crashes "not well-formed (invalid token)" when finding escape characters
severity -1 important
thanks

Hey,

Am 18.03.22 um 12:02 schrieb Rhonda D'Vine:

Alioth's archive of the repository is at
https://alioth-archive.debian.org/git/collab-maint/kpcli.git.tar.xz.
That allows for bare import, including git history into salsa.

Unfortunately I don't have a lot of time for Debian these days, sorry
about that.


How about duplicating the issue and reassigning one to
libfile-keepass-perl? I'm not sure about the priority, but something
below RC might do for that. I did so as per this mail.

#1007914#68
Date:
2022-03-18 17:23:44 UTC
From:
To:
   Hi,

* Lester Hightower <lester.hightower@gmail.com> [2022-03-18 16:12:45 CET]:

 Pasting data into the comment field of an entry is nothing I would
anywhere closely consider esoteric, rather the opposite.  And that a
tool would write data out that it couldn't read back in is something
that is utterly confusing, to say the least, and a clear bug that is not
just annoying but can impact people's access.  That it was easy to fix
doesn't reduce the impact of the issue.

 This is where you are clearly wrong.  I tried opening the file with
other keepass tools, and it boiled down to the same issue: There was
data in the XML that weren't valid, and thus couldn't get parsed by any
keepass tool.

 Please don't try to reason with things that aren't the case.
Rhonda

#1007914#73
Date:
2025-07-26 05:25:32 UTC
From:
To:
Hi Perl team,

today bug #1007914 libfile-keepass-perl came up as Bug of the Day[1].
As far as I'm informed the Uploader Jonas Genannt is not active
currently and we should care as a team for this bug.

In contrast to all other Perl packages it seems the package was not
migrated to Salsa yet (for whatever reason).  Moreover I realised that
the old Alioth archive[2] was cleaned up somehow and does not contain
the old repositories any more.

Before I start working on the package I would like to ask around whether
someone might be able to restore the old repository to keep the packaging
history.  If this is not possible I can recreate a repository using
`gbp import-dscs`.

I also need help to fix the actual issue reported in bug #1007914 since
my Perl skills are extremely limited.  If someone would be able to
provide a patch (either to BTS or to Git once we restored the
repository) this would be extremely helpful.

Kind regards
   Andreas.

[1] https://salsa.debian.org/qa/tiny_qa_tools/-/wikis/Tiny-QA-tasks#bug-of-the-day
[2] https://alioth-archive.debian.org/git/pkg-perl/

#1007914#78
Date:
2025-07-26 09:58:34 UTC
From:
To:
#1007914#83
Date:
2025-07-26 13:29:28 UTC
From:
To:
Hi ALex,

Am Sat, Jul 26, 2025 at 11:58:34AM +0200 schrieb Alex Muntada:

Sorry, seems it was to early this morning when I checked. ;-)
I added myself to Uploaders to possibly upload this package.

Any comment about bug #1007914?

Kind regards
    Andreas .

#1007914#86
Date:
2025-07-26 14:51:17 UTC
From:
To:
-=| Andreas Tille, 26.07.2025 15:29:28 +0200 |=-

I think the problem is on line 1248 of lib/File/KeePass.pm:

    s/([^\x00-\x7F])/'&#'.(ord $1).';'/ge;

It replaces all non-ASCII characters with &#<ord>;.

Notably, this does not affect any controll characters like the escape
character (which is a perfectly valid ASCII character, just not
allowed in XML). It would also not work for vertical tab, nul and all
sorts of other funny characters.

Changing that to

    s/([^\x20-\x7F])/'&#'.(ord $1).';'/ge;

would fix the problem.

Or at least I think so. With no way to replicate the issue, I am just
poking blindly here.

#1007914#89
Date:
2025-07-27 12:18:22 UTC
From:
To:
Hello,

Bug #1007914 in libfile-keepass-perl reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/perl-team/modules/packages/libfile-keepass-perl/-/commit/ae5aff98ac252def920e221a6de6aed7abf81b6b

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1007914

#1007914#96
Date:
2025-07-27 12:23:28 UTC
From:
To:
Hi Damyan,

Am Sat, Jul 26, 2025 at 05:51:17PM +0300 schrieb Damyan Ivanov:

Thanks a lot.  I've pushed the change to Git[1].

@Rhonda: Could you give the patch a try?  If it helps I can upload to
experimental closing the bug and you can reopen if needed.

Kind regards
    Andreas.


[1] https://salsa.debian.org/perl-team/modules/packages/libfile-keepass-perl/-/commit/ae5aff98ac252def920e221a6de6aed7abf81b6b

#1007914#101
Date:
2025-08-16 06:20:43 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
libfile-keepass-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1007914@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Tille <tille@debian.org> (supplier of updated libfile-keepass-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sat, 16 Aug 2025 07:54:35 +0200
Source: libfile-keepass-perl
Architecture: source
Version: 2.03-2
Distribution: unstable
Urgency: low
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Andreas Tille <tille@debian.org>
Closes: 1007914
Changes:
 libfile-keepass-perl (2.03-2) unstable; urgency=low
 .
   [ Salvatore Bonaccorso ]
   * Change search.cpan.org based URIs to metacpan.org based URIs
   * Update Vcs-* headers for switch to salsa.debian.org
 .
   [ gregor herrmann ]
   * Strip trailing slash from metacpan URLs.
   * debian/copyright: change Copyright-Format 1.0 URL to HTTPS.
   * debian/watch: use uscan version 4.
 .
   [ Alex Muntada ]
   * Remove inactive pkg-perl members from Uploaders.
 .
   [ Debian Janitor ]
   * Bump debhelper from deprecated 8 to 13.
   * Set debhelper-compat version in Build-Depends.
 .
   [ Andreas Tille ]
   * Standards-Version: 4.7.2 (routine-update)
   * Add myself to Uploaders
 .
   [ Damyan Ivanov ]
   * Fix replacement of control characters
     Closes: #1007914
Checksums-Sha1:
 18f3ea44766985bf51d018ccb2ac1afe8af5f90a 2192 libfile-keepass-perl_2.03-2.dsc
 091b876a6b6e6e940b1789757e926de2bea90607 2228 libfile-keepass-perl_2.03-2.debian.tar.xz
 0a64e0aa237bc5476d3e313d2e79360bbd4278c4 6798 libfile-keepass-perl_2.03-2_amd64.buildinfo
Checksums-Sha256:
 bdc5ca5564bd5ad871b57226edf3fa48d66dbe638d38ff7eeb031bab29ad411f 2192 libfile-keepass-perl_2.03-2.dsc
 18444a361b4335a641542abcebbeab38071ccafa41e6dfb28bd498f363edf438 2228 libfile-keepass-perl_2.03-2.debian.tar.xz
 a267673d3b00a1cccec24840751f7adaccbd6c4aa5671aeea5c67a887092ada9 6798 libfile-keepass-perl_2.03-2_amd64.buildinfo
Files:
 5af9ed4e1c7e0989693005a9f378feb3 2192 perl optional libfile-keepass-perl_2.03-2.dsc
 8b6a78bcaf524bd217d3439b5779b3d9 2228 perl optional libfile-keepass-perl_2.03-2.debian.tar.xz
 23ce1b9e3392f9227d0f64ca66f29e3e 6798 perl optional libfile-keepass-perl_2.03-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEE8fAHMgoDVUHwpmPKV4oElNHGRtEFAmigHY4RHHRpbGxlQGRl
Ymlhbi5vcmcACgkQV4oElNHGRtE4CQ/+MtQyy1VnY0z65rcp4Tavle/y+RibzFj9
n3Czr0p8SwTdzyFuGlGY1O9XCdmA/Yp7RU+aX9yWKMib3l8t4Y4ho5mRw+GHQMWX
ivg1woNR4Y5P9UuR4n8YzNf4U1e16zbh3j8Ihce8Ulq+WqSr+gXP8WKtBfuyZYRj
eUCAqWFrYxspm2CcEJsA+VMDMZLvuTnY0qdFxKJW5a1WDVy9xaPwWM/ZmKY40N0q
oIfgazs9cfBOrYouwDMwSa23UfSKxhfqhBgV6H8NzJIvSLEUNLUWvwb6VwT8yunl
aFE2l9JRruN3Bjnm9kDyiT1GvvyiwHXc01U9piBzvhbOrZC7e8CV4USf3SpJgwh6
5/E1M0tKqJbOBea1fQDbyVOUndyXh9JM0dTp5v3HO2torEndwnoi/hIz1JLNg6rV
8Ag5130xjA5qPC1GqKx+i+E++YMtsMlAIezp/kMDRIC3wjUXTjdpDpcqHJFHnZ90
cjesUAnWhVm21VFpmoxoxfTD/K2bEIjNEQppaoO/Fj3nGZEYyl/pcrHSqLhiUS7T
zUQM+PdDY+Z8tOy/7aJ66qLEja3M5JM8QSEPtql4paPAZyth/If2GYPPNcEg7M+a
CU+XXVc32qua5ax/uZMAEJo7q9Tn2HRtX/G9GOy65N2VxMhhVrER92RhGlxAFbUa
Ng892plUtrE=
=EmJK
-----END PGP SIGNATURE-----