[Secure-testing-team] Bug#785305: keepass2: option to lock workspace on suspend does not work

[Todor Tsankov]

Package: keepass2
Version: 2.28+dfsg-1
Severity: grave
Tags: security
Justification: user security hole

Dear Maintainer,

The two options "Lock workspace when locking the computer"
and "Lock workspace when the computer is about to be suspended"
do not function. This makes possible reading user's secrets
from memory if, for example, a laptop is stolen while suspended
and the software is running. The two options are specifically
designed to prevent this from happening and a user who has
enabled them will expect to be protected from such an attack.

I am using Gnome on Debian Jessie.



-- System Information:
Debian Release: 8.0
  APT prefers proposed-updates
  APT policy: (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages keepass2 depends on:
ii  libmono-corlib4.5-cil                3.2.8+dfsg-10
ii  libmono-system-drawing4.0-cil        3.2.8+dfsg-10
ii  libmono-system-security4.0-cil       3.2.8+dfsg-10
ii  libmono-system-windows-forms4.0-cil  3.2.8+dfsg-10
ii  libmono-system-xml4.0-cil            3.2.8+dfsg-10
ii  libmono-system4.0-cil                3.2.8+dfsg-10
ii  libx11-6                             2:1.6.2-3
ii  mono-runtime                         3.2.8+dfsg-10

Versions of packages keepass2 recommends:
ii  xsel  1.2.0-2

Versions of packages keepass2 suggests:
ii  keepass2-doc  2.28+dfsg-1
pn  mono-dmcs     <none>
pn  xdotool       <none>

-- no debconf information