#1008022 keepass2: CVE-2022-0725 information disclosure

Package:
keepass2
Source:
keepass2
Submitter:
Markus Koschany
Date:
2022-06-24 15:57:07 UTC
Severity:
grave
Tags:
#1008022#5
Date:
2022-03-20 17:16:41 UTC
From:
To:
Hi,

The following vulnerability was published for keepass2.

CVE-2022-0725[0]:
| A flaw was found in KeePass. The vulnerability occurs due to logging
| the plain text passwords in the system log and leads to an Information
| Exposure vulnerability. This flaw allows an attacker to interact and
| read sensitive passwords and logs.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-0725
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0725

Please adjust the affected versions in the BTS as needed.

Steps to reproduce the problem (according
to https://bugzilla.redhat.com/show_bug.cgi?id=2052696)


Step 1: Run "journalctl -f" in a terminal window.
Step 2: Double click a password in KeePass.
Step 3: Wait for the clear timeout to trigger.

Actual results:
See your plain text password logged in the terminal window

Expected results:
Never see your plain text password logged anywhere


Only users in the systemd-journal group can use journalctl. At the moment I
can't reproduce the problem on a custom XFCE system but I have not tried GNOME
or other desktop environments yet and I suspect this problem is not limited to
RedHat or Fedora.


Regards,

Markus
#1008022#12
Date:
2022-06-24 15:16:41 UTC
From:
To:
I failed to reproduce this on Gnome on a freshly installed buster
system.

I failed to reproduce this on Gnome on a freshly installed bullseye
system with wayland.

Also on bullseye:

 - I tried to install all the clipboard managers I could find in apt
   (clipit clipman copyq diodon gnome-shell-extension-gpaste parcellite
   qlipper xsel) and I still couldn't reproduce.

 - I ran keepass2 in a terminal, and it did not produce output.

 - I ran keepass2 from Gnome Shell, and I keep seeing nothing in logs.

In RedHat's bugzilla at https://bugzilla.redhat.com/show_bug.cgi?id=2053688
they also failed to reproduce it. At this point, the only reproducers
are in the two threads in the keepass discussion forum.

In https://sourceforge.net/p/keepass/discussion/329220/thread/da7546b7e1/
Paul tried to reproduce it, too, and also failed.

At this point I would suspect that something else was at play in the
users' systems, independent from keepass2.


Enrico
#1008022#17
Date:
2022-06-24 15:35:39 UTC
From:
To:
I also failed to reproduce this on a freshly installed stretch system,
both on an X11 and on a Wayland session


Enrico
#1008022#24
Date:
2022-06-24 15:48:55 UTC
From:
To:
Hello,

not having been able to find a way to reproduce this on various
combinations of systems, I suppose it's time to close this as
unreproducible.


Enrico