head	1.2;
access;
symbols
	pkgsrc-2015Q3:1.1.0.2;
locks; strict;
comment	@// @;


1.2
date	2015.12.09.13.54.32;	author wiz;	state dead;
branches;
next	1.1;
commitid	7Ck5Wris4YmPihMy;

1.1
date	2015.12.06.14.20.34;	author wiz;	state Exp;
branches
	1.1.2.1;
next	;
commitid	L4KzvZEAyHVayTLy;

1.1.2.1
date	2015.12.06.14.20.34;	author bsiegert;	state dead;
branches;
next	1.1.2.2;
commitid	kkfmyA6jRiLquVLy;

1.1.2.2
date	2015.12.06.20.10.39;	author bsiegert;	state Exp;
branches;
next	;
commitid	kkfmyA6jRiLquVLy;


desc
@@


1.2
log
@Update keepassx to 0.4.4.

Non-Windows CVE mentioned below was already fixed in pkgsrc.

Changes:

Two security flaws have been discovered in KeePassX 0.4.3.
Version 2.0 has a different codebase and is not affected.

*   CVE-2015-8359: DLL Preloading vulnerability on Windows
    The version of Qt bundled with KeePassX 0.4.3 is vulnerable to
    a DDL preloading attack.  This vulnerability only affects
    KeePassX on Windows.  If successfully exploited, arbitrary code
    can be executed in the context of KeePassX.  KeePassX 0.4.4
    ships with Qt 4.8.7 and employs additional hardening measures.
    Thanks to Trenton Ivey from SecureWorks for reporting this
    vulnerability to us.
*   CVE-2015-8378: Canceling XML export function creates export as ".xml"āfile
    When canceling the "Export to > KeePassX XML file" function
    the cleartext passwords were still exported.  In this case the
    password database was exported as the file ".xml" in the current
    working directory (often $HOME or the directory of the database).
    Originally reported as Debian bug #791858

KeePassX 0.4.4 fixes both vulnerabilities.
@
text
@$NetBSD: patch-src_lib_FileDialogs.cpp,v 1.1 2015/12/06 14:20:34 wiz Exp $

Description: Abort file save dialog gracefully on 'cancel'
Author: Reinhard Tartler <siretart@@debian.org>
Bug-Debian: 791858

The Qt documentation says that pressing the "Cancel" button "returns a
null string" (cf http://doc.qt.io/qt-4.8/qfiledialog.html#details). The
default (and only) implementation of the File dialog ignores this case
and wrongly constructs a bogus filename. This patch bails out gracefully
and avoids cleartext passwords on the hard disk.

Fixes CVE-2015-8378

https://anonscm.debian.org/cgit/collab-maint/keepassx.git/commit/?id=b3c9028db8ec3b8752ff47717ffc792d755c1294

--- src/lib/FileDialogs.cpp.orig	2009-10-08 19:27:39.000000000 +0000
+++ src/lib/FileDialogs.cpp
@@@@ -118,6 +118,10 @@@@ QString QtStandardFileDialogs::saveFileD
 		SelectedFilter=Filters[SelectedFilterIndex];
 	QString filepath = QFileDialog::getSaveFileName(parent,title,dir,toSingleStringFilter(Filters),&SelectedFilter,
 	                                                ShowOverwriteWarning ? (QFileDialog::Option)0 : QFileDialog::DontConfirmOverwrite);
+	// Fixes CVE-2015-8378
+	if (filepath.isEmpty())
+		return filepath;
+
 	LastFilter=Filters.indexOf(SelectedFilter);
 		
 	//Check whether the file has an extension which fits to the selected filter
@


1.1
log
@Fix CVE-2015-8378 using the patch from Debian.
Bump PKGREVISION.
While here, clean up pkglint.
@
text
@d1 1
a1 1
$NetBSD$
@


1.1.2.1
log
@file patch-src_lib_FileDialogs.cpp was added on branch pkgsrc-2015Q3 on 2015-12-06 20:10:39 +0000
@
text
@d1 29
@


1.1.2.2
log
@Pullup ticket #4868 - requested by wiz
security/keepassx: security fix

Revisions pulled up:
- security/keepassx/Makefile                                    1.31
- security/keepassx/distinfo                                    1.8
- security/keepassx/patches/patch-src_lib_AutoTypeX11.cpp       1.2
- security/keepassx/patches/patch-src_lib_FileDialogs.cpp       1.1
- security/keepassx/patches/patch-src_lib_random.cpp            1.4

---
   Module Name:	pkgsrc
   Committed By:	wiz
   Date:		Sun Dec  6 14:20:34 UTC 2015

   Modified Files:
   	pkgsrc/security/keepassx: Makefile distinfo
   	pkgsrc/security/keepassx/patches: patch-src_lib_AutoTypeX11.cpp
   	    patch-src_lib_random.cpp
   Added Files:
   	pkgsrc/security/keepassx/patches: patch-src_lib_FileDialogs.cpp

   Log Message:
   Fix CVE-2015-8378 using the patch from Debian.
   Bump PKGREVISION.
   While here, clean up pkglint.
@
text
@a0 29
$NetBSD$

Description: Abort file save dialog gracefully on 'cancel'
Author: Reinhard Tartler <siretart@@debian.org>
Bug-Debian: 791858

The Qt documentation says that pressing the "Cancel" button "returns a
null string" (cf http://doc.qt.io/qt-4.8/qfiledialog.html#details). The
default (and only) implementation of the File dialog ignores this case
and wrongly constructs a bogus filename. This patch bails out gracefully
and avoids cleartext passwords on the hard disk.

Fixes CVE-2015-8378

https://anonscm.debian.org/cgit/collab-maint/keepassx.git/commit/?id=b3c9028db8ec3b8752ff47717ffc792d755c1294

--- src/lib/FileDialogs.cpp.orig	2009-10-08 19:27:39.000000000 +0000
+++ src/lib/FileDialogs.cpp
@@@@ -118,6 +118,10 @@@@ QString QtStandardFileDialogs::saveFileD
 		SelectedFilter=Filters[SelectedFilterIndex];
 	QString filepath = QFileDialog::getSaveFileName(parent,title,dir,toSingleStringFilter(Filters),&SelectedFilter,
 	                                                ShowOverwriteWarning ? (QFileDialog::Option)0 : QFileDialog::DontConfirmOverwrite);
+	// Fixes CVE-2015-8378
+	if (filepath.isEmpty())
+		return filepath;
+
 	LastFilter=Filters.indexOf(SelectedFilter);
 		
 	//Check whether the file has an extension which fits to the selected filter
@