Well, I didn't create the CVE, I'm just reporting it that it exists. For example, pkgsrc has been marking KeePass as having an "unspecified security vulnerability", and today I investigated whether that was still reproducible with the latest KeePass. It was.
At least OWASP, MITRE and the BSI seem to agree that interpreting a leading '=' in a CSV file is not a bug in the office applications like Microsoft Word and LibreOffice Calc, but instead the fault is on the side that generates these CSV files.
I disagree with that interpretation though, since the file format is called "Comma-separated values" and not "Comma-separated formulas". But I don't think I can convince these 3 parties that the bug is on the side of the office applications that interpret these values as formulas. I would be surprised if Microsoft were to fix this security issue properly in the next 20 years.
Too bad that there is no ISO standard for CSV files that everyone agrees.
Roland
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thank you for documenting the reasons. I have removed this alleged KeePass "vulnerability" from pkgsrc's list of vulnerable packages, so it can be downloaded and installed without warnings again.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
And why this is a problem?
If you have a field starting with "=", you want to retain that value in a CSV export.
cheers, Paul
Well, I didn't create the CVE, I'm just reporting it that it exists. For example, pkgsrc has been marking KeePass as having an "unspecified security vulnerability", and today I investigated whether that was still reproducible with the latest KeePass. It was.
At least OWASP, MITRE and the BSI seem to agree that interpreting a leading '=' in a CSV file is not a bug in the office applications like Microsoft Word and LibreOffice Calc, but instead the fault is on the side that generates these CSV files.
I disagree with that interpretation though, since the file format is called "Comma-separated values" and not "Comma-separated formulas". But I don't think I can convince these 3 parties that the bug is on the side of the office applications that interpret these values as formulas. I would be surprised if Microsoft were to fix this security issue properly in the next 20 years.
Too bad that there is no ISO standard for CSV files that everyone agrees.
Roland
I don't consider this to be a problem in KeePass, see
https://keepass.info/help/kb/sec_issues.html#expge
Thanks and best regards,
Dominik
Thank you for documenting the reasons. I have removed this alleged KeePass "vulnerability" from pkgsrc's list of vulnerable packages, so it can be downloaded and installed without warnings again.
Great, thanks! :-)