[Secure-testing-team] Bug#866769: keepassx fails to clear KDE clipboard history, leaving passwords visible
Henrik Størner
henrik at hswn.dk
Sat Jul 1 15:22:40 UTC 2017
Package: keepassx
Version: 2.0.3-1
Severity: grave
Tags: security
Justification: user security hole
Dear Maintainer,
keepassx 2.0.3-1 (in Debian "stretch") fails to clear the clipboard history after a password has been copied to the clipboard.
The keepassx security settings has "Clear clipboard after 10 seconds" enabled.
To reproduce,
- select an entry with a stored password in the keepassx database
- press ctrl-C to copy the password to the clipboard
- after 10 seconds (default setting), the password should disappear from the clipboard history
- click on the clipboard icon in the panel, the password is visible
This is using the KDE Desktop installation, and hence the KDE clipboard.
The KDE clipboard has a setting to prevent the clipboard from being emptied, but this setting does not change the behaviour.
-- System Information:
Debian Release: 9.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=da_DK.UTF-8, LC_CTYPE=da_DK.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages keepassx depends on:
ii libc6 2.24-11+deb9u1
ii libgcrypt20 1.7.6-2
ii libqtcore4 4:4.8.7+dfsg-11
ii libqtgui4 4:4.8.7+dfsg-11
ii libstdc++6 6.3.0-18
ii libx11-6 2:1.6.4-3
ii libxi6 2:1.7.9-1
ii libxtst6 2:1.2.3-1
ii zlib1g 1:1.2.8.dfsg-5
keepassx recommends no packages.
keepassx suggests no packages.
-- no debconf information
More information about the Secure-testing-team
mailing list