CVS commit: pkgsrc/security/keepassx

["Thomas Klausner" <wiz%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   wiz
Date:           Wed Dec  9 13:54:32 UTC 2015

Modified Files:
        pkgsrc/security/keepassx: Makefile distinfo
Removed Files:
        pkgsrc/security/keepassx/patches: patch-src_lib_FileDialogs.cpp

Log Message:
Update keepassx to 0.4.4.

Non-Windows CVE mentioned below was already fixed in pkgsrc.

Changes:

Two security flaws have been discovered in KeePassX 0.4.3.
Version 2.0 has a different codebase and is not affected.

*   CVE-2015-8359: DLL Preloading vulnerability on Windows
    The version of Qt bundled with KeePassX 0.4.3 is vulnerable to
    a DDL preloading attack.  This vulnerability only affects
    KeePassX on Windows.  If successfully exploited, arbitrary code
    can be executed in the context of KeePassX.  KeePassX 0.4.4
    ships with Qt 4.8.7 and employs additional hardening measures.
    Thanks to Trenton Ivey from SecureWorks for reporting this
    vulnerability to us.
*   CVE-2015-8378: Canceling XML export function creates export as ".xml"�file
    When canceling the "Export to > KeePassX XML file" function
    the cleartext passwords were still exported.  In this case the
    password database was exported as the file ".xml" in the current
    working directory (often $HOME or the directory of the database).
    Originally reported as Debian bug #791858

KeePassX 0.4.4 fixes both vulnerabilities.


To generate a diff of this commit:
cvs rdiff -u -r1.31 -r1.32 pkgsrc/security/keepassx/Makefile
cvs rdiff -u -r1.8 -r1.9 pkgsrc/security/keepassx/distinfo
cvs rdiff -u -r1.1 -r0 \
    pkgsrc/security/keepassx/patches/patch-src_lib_FileDialogs.cpp

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.