KDE Project Security Advisory ============================= Title: kinit: World readable X11 Cookie key logger Risk Rating: Important CVE: CVE-2016-3100 Platforms: X11 Versions: kinit < 5.23 Author: Siddharth Sharma siddharth.kde@gmail.com Date: 21 June 2016 Overview ======== An authorized user can log key events of other user by accessing world-readable X11 cookie Impact ====== Pre-authenticated attacker can read all key events by the users logged on to the system. Workaround ========== None Solution ======== For kinit apply the following patches: https://quickgit.kde.org/?p=kinit.git&a=commitdiff&h=dece8fd89979cd1a86c03bcaceef6e9221e8d8cd https://quickgit.kde.org/?p=kinit.git&a=commitdiff&h=72f3702dbe6cf15c06dc13da2c99c864e9022a58 References ========== https://bugs.kde.org/show_bug.cgi?id=358593 https://bugs.kde.org/show_bug.cgi?id=363140 Credits ======= Thanks to David Rumley for finding the issue and Albert Astals Cid for fixing the issue.
KDE team may want to stabilize frameworks 5.23... we will await their input.
Arch teams, please test and stabilise kde-frameworks/kinit-5.21.0-r1. Target KEYWORDS="amd64 x86". Thanks!
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
Thanks all. Cleanup done. Removing kde from cc, nothing to do for us anymore. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fcc9d8ba47ee865b0c80eea5a35d051c59cb0396
Arches and Maintainer(s), Thank you for your work. GLSA Vote: No Closing noglsa.