Bug 537062

Description Agostino Sarubbo 2015-01-19 15:36:31 UTC

From http://seclists.org/oss-sec/2015/q1/att-153/screenlocker-network.txt:

KDE Project Security Advisory
=============================

Title:          plasma-workspace: Network access from screen locker
Risk Rating:    Low
CVE:
Platforms:      X11
Versions:       plasma-workspace < 5.1.95
Author:         Martin Gräßlin mgraesslin () kde org
Date:

Overview
========

Plasma's lock screen implementation uses Look and Feel packages
containing QtQuick source files to style the lock screen.
Look and Feel packages can be selected by the user using a system
settings module. A user could download a Look and Feel package and
install it locally.

The QtQuick view allows network interaction, thus a malicious Look
and Feel package could collect the user's passwords on all systems
it's installed to.

Similarly any application running under the given user could install a
different Look and Feel package to gain the user's password.

Impact
======

If a user downloaded and installed a Look and Feel package the user's
password might be sent to the author of the Look and Feel package.

Workaround
==========

Use one of the default provided Look and Feel packages.

Solution
========

For plasma-workspace upgrade to Plasma 5.1.95 or apply the following patch:
 http://commits.kde.org/plasma-workspace/0a9cea625dfcb068fb03a4deab7430b1c4ad8aa4

Credits
=======

Thanks to Martin Gräßlin for finding and fixing the issue.




From http://seclists.org/oss-sec/2015/q1/att-153/screenlocker-input.txt:

KDE Project Security Advisory
=============================

Title:          kde-workspace, plasma-workspace: X11 clients can eavesdrop input events while screen is locked
Risk Rating:    Low
CVE:
Platforms:      X11
Versions:       kde-workspace >= 4.2.0, plasma-workspace < 5.1.95
Author:         Martin Gräßlin mgraesslin () kde org
Date:

Overview
========

Plasma ScreenLocker deamon (ksld) as part of ksmserver grabs keyboard and
mouse to ensure that no other X11 client is able to read the input while
the screen is locked. All input events are sent from ksld to the greeter
process showing the unlocking UI.

The vulnerability allows any X11 client (either locally or remote) to gain
access to all input events entered while the screen is locked.

Impact
======

Any application having access to the X server is able to sniff the
user's  password. An application connected to the X server might be run
by a different user or even be a remote application.

Workaround
==========

To reduce the risk it's recommended to not allow X11 clients from other
user accounts on the local system or remote X11 clients to connect to
the X server.

On kde-workspace using the "Screen locker type" "Screen saver" instead of
the default "Simple locker" can circumvent the problem.

In general disabling the screen locker also circumvents the problem.

Solution
========

For plasma-workspace upgrade to Plasma 5.1.95 or apply the following patch:
 http://commits.kde.org/plasma-workspace/0ac34dca5d6a6ea8fc5c06e1dae96fb1ad4ce7c9

Credits
=======

Thanks to Martin Gräßlin for finding and fixing the issue


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.