Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 585140 (CVE-2016-5119) - <app-admin/keepass-2.34: MitM attack against update check
Summary: <app-admin/keepass-2.34: MitM attack against update check
Status: RESOLVED FIXED
Alias: CVE-2016-5119
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-06-06 07:25 UTC by Agostino Sarubbo
Modified: 2016-07-17 22:21 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-06-06 07:25:28 UTC
From ${URL} :

An attacker can abuse KeePass 2's recommended automatic update check – if enabled – to “release” a 
new version and redirect the user to a malicious download page.

External references:

https://bogner.sh/2016/03/mitm-attack-against-keepass-2s-update-check/


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Alessandro Di Federico 2016-06-06 09:22:36 UTC
Upstream's response:

http://keepass.info/help/kb/sec_issues.html#updsig

The above link talks about KeePass 2.34 but it doesn't appear it has been released yet. So let's wait and see. Since AFAIK there's no public repository, I think the only thing to do is to wait.

I think this is not tragic in our context, typically the user might be led to think there's an updated version, but as long as it uses Portage everything should be fine. Our uses are not supposed to download anything from the website in any case.

This said, upstream should use HTTPS everywhere on the website, while currently they are not. I just noticed in an hidden place in the website they also provide signatures for the source code using PGP. I'll check them from now on.

http://keepass.info/integrity_sig.html

I also verified that the last three versions of KeePass had a correct signature.

I used the key with the following fingerprint (which I confirmed on pgp.mit.edu, the non-HTTPS website and keybase.io):

2171 BEEA D0DD 92A1 8065 5626 DCCA A5B3 FEB7 C7BC

Everything should be fine.
Comment 2 Frank Krömmelbein 2016-06-11 14:00:52 UTC
KeePass 2.34 has been released today.

Full Changelog:
http://keepass.info/news/n160611_2.34.html
Comment 3 Alessandro Di Federico 2016-06-11 16:02:36 UTC
I've tested the new version and the old ebuild works fine. We're good to go.

On a side note, I asked upstream to sign the packages with a stronger PGP key:

https://sourceforge.net/p/keepass/discussion/329220/thread/46872dc1/

Now they use a key with the following fingerprint:

D950 4428 3EE9 48D9 11E8  B606 A4F7 62DC 58C6 F98E

Here's the relevant part of the Manifest file:

DIST KeePass-2.34-Source.zip 4744285 SHA256 e3f184e4deddd1aa5ee2b52e2373c772d3f3975e5eddb2fd729eb27b437011aa SHA512 a52fe7bb0cee60daa0428cf42cf2d6cfc5798fa52d535b10548880417bfe61458c5357ea3dfdb569571fa8aa958de05369c269e2dbb64af5cfa5c913fad521e0 WHIRLPOOL 2aeac242d5f1a342ec338cb442b8083f4dc72635d9bc8b02cd2aad4613ecf9f311cddf0832a3f1ebe03d881dce41d3a77edb097e3853967d467c2ce55b8d33cb
Comment 4 Michael Palimaka (kensington) gentoo-dev 2016-06-11 18:10:47 UTC
Thanks a lot, bumped in git.

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6e8059e6ba92d83a257549f6879cea55759aae85
Comment 5 Agostino Sarubbo gentoo-dev 2016-07-09 17:46:25 UTC
amd64 stable
Comment 6 Michael Palimaka (kensington) gentoo-dev 2016-07-17 19:16:57 UTC
x86 stable and cleanup done
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2016-07-17 22:21:31 UTC
GLSA Vote: No.