Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 686422 (CVE-2018-20839)

Summary: <sys-apps/systemd-243: unauthorized disclosure of information (VT kbd reset check)
Product: Gentoo Security Reporter: D'juan McDonald (domhnall) <flopwiki>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: systemd
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/systemd/systemd/pull/12378
Whiteboard: A4 [noglsa cve]
Package list:
Runtime testing required: ---

Description D'juan McDonald (domhnall) 2019-05-20 23:58:38 UTC 
(https://nvd.nist.gov/vuln/detail/CVE-2018-20839):

systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka current keyboard mode) check is mishandled.

references: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1803993

@maintainer(s): Milestone for v243 release

Gentoo Security Padawan
(domhnall)
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2019-05-21 00:22:10 UTC 
Commit is upstream in master:

https://github.com/systemd/systemd/commit/9725f1a10f80f5e0ae7d9b60547458622aeb322f
Comment 2 Mike Gilbert gentoo-dev 2019-07-10 18:10:18 UTC 
Waiting for this to be fixed.

https://github.com/systemd/systemd/issues/12616
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-26 03:27:04 UTC 
(In reply to Mike Gilbert from comment #2)
> Waiting for this to be fixed.
> 
> https://github.com/systemd/systemd/issues/12616

Fixed in https://github.com/systemd/systemd/pull/13109

... which seems to have landed in v243. So tree is clean?