Subject: CVS commit: pkgsrc/security/keepassx
From: Thomas Klausner
Date: 2015-12-09 14:54:32
Message id: 20151209135432.BCA85FB80@cvs.NetBSD.org
Log Message:
Update keepassx to 0.4.4.

Non-Windows CVE mentioned below was already fixed in pkgsrc.

Changes:

Two security flaws have been discovered in KeePassX 0.4.3.
Version 2.0 has a different codebase and is not affected.

*   CVE-2015-8359: DLL Preloading vulnerability on Windows
    The version of Qt bundled with KeePassX 0.4.3 is vulnerable to
    a DDL preloading attack.  This vulnerability only affects
    KeePassX on Windows.  If successfully exploited, arbitrary code
    can be executed in the context of KeePassX.  KeePassX 0.4.4
    ships with Qt 4.8.7 and employs additional hardening measures.
    Thanks to Trenton Ivey from SecureWorks for reporting this
    vulnerability to us.
*   CVE-2015-8378: Canceling XML export function creates export as \ 
".xml"Ć¢file
    When canceling the "Export to > KeePassX XML file" function
    the cleartext passwords were still exported.  In this case the
    password database was exported as the file ".xml" in the current
    working directory (often $HOME or the directory of the database).
    Originally reported as Debian bug #791858

KeePassX 0.4.4 fixes both vulnerabilities.
Files:
RevisionActionfile
1.32modifypkgsrc/security/keepassx/Makefile
1.9modifypkgsrc/security/keepassx/distinfo
1.1removepkgsrc/security/keepassx/patches/patch-src_lib_FileDialogs.cpp