Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 586700 (CVE-2016-3100)

Summary: <kde-frameworks/kinit-5.21.0-r1: world readable X11 cookie key logger (CVE-2016-3100)
Product: Gentoo Security Reporter: Michael Palimaka (kensington) <kensington>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: kensington
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.kde.org/info/security/advisory-20160621-1.txt
Whiteboard: B3 [noglsa cve]
Package list:
Runtime testing required: ---

Description Michael Palimaka (kensington) gentoo-dev 2016-06-22 11:12:45 UTC 
KDE Project Security Advisory
=============================

Title:          kinit: World readable X11 Cookie key logger
Risk Rating:    Important
CVE:            CVE-2016-3100
Platforms:      X11
Versions:       kinit < 5.23
Author:         Siddharth Sharma siddharth.kde@gmail.com
Date:           21 June 2016

Overview
========

An authorized user can log key events of other user by accessing
world-readable X11 cookie


Impact
======

Pre-authenticated attacker can read all key events by the users logged on
to the system.

Workaround
==========

None

Solution
========

For kinit apply the following patches:
https://quickgit.kde.org/?p=kinit.git&a=commitdiff&h=dece8fd89979cd1a86c03bcaceef6e9221e8d8cd
https://quickgit.kde.org/?p=kinit.git&a=commitdiff&h=72f3702dbe6cf15c06dc13da2c99c864e9022a58

References
==========

https://bugs.kde.org/show_bug.cgi?id=358593
https://bugs.kde.org/show_bug.cgi?id=363140

Credits
=======

Thanks to David Rumley for finding the issue and Albert Astals Cid for fixing the issue.
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2016-06-22 11:35:17 UTC 
KDE team may want to stabilize frameworks 5.23... we will await their input.
Comment 2 Michael Palimaka (kensington) gentoo-dev 2016-06-22 12:20:21 UTC 
Arch teams, please test and stabilise kde-frameworks/kinit-5.21.0-r1.

Target KEYWORDS="amd64 x86".

Thanks!
Comment 3 Agostino Sarubbo gentoo-dev 2016-06-27 08:28:33 UTC 
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2016-06-27 08:52:25 UTC 
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 5 Johannes Huber (RETIRED) gentoo-dev 2016-06-27 18:16:49 UTC 
Thanks all. Cleanup done. Removing kde from cc, nothing to do for us anymore.

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fcc9d8ba47ee865b0c80eea5a35d051c59cb0396
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2016-09-10 07:38:54 UTC 
Arches and Maintainer(s), Thank you for your work.

GLSA Vote: No
Closing noglsa.