CVE-2023-32784: In KeePass 2.x before 2.54, it is possible to recover the cleartext master password from a memory dump, even when a workspace is locked or no longer running. The memory dump can be a KeePass process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entire system. The first character cannot be recovered. In 2.54, there is different API usage and/or random string insertion for mitigation. Apparently will be fixed in 2.54.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2bebd95d0421c9e351075775e32f4d7b24bdb201 commit 2bebd95d0421c9e351075775e32f4d7b24bdb201 Author: Petr Vaněk <arkamar@gentoo.org> AuthorDate: 2024-09-02 12:08:17 +0000 Commit: Petr Vaněk <arkamar@gentoo.org> CommitDate: 2024-09-02 12:08:33 +0000 app-admin/keepass: drop 2.49, 2.53, 2.56 Bug: https://bugs.gentoo.org/835074 Bug: https://bugs.gentoo.org/908040 Signed-off-by: Petr Vaněk <arkamar@gentoo.org> app-admin/keepass/Manifest | 3 - .../files/keepass-2.36-xsl-path-detection.patch | 43 -------- app-admin/keepass/keepass-2.49.ebuild | 116 --------------------- app-admin/keepass/keepass-2.53.ebuild | 116 --------------------- app-admin/keepass/keepass-2.56.ebuild | 116 --------------------- 5 files changed, 394 deletions(-)
