From http://seclists.org/oss-sec/2015/q1/att-153/screenlocker-network.txt: KDE Project Security Advisory ============================= Title: plasma-workspace: Network access from screen locker Risk Rating: Low CVE: Platforms: X11 Versions: plasma-workspace < 5.1.95 Author: Martin Gräßlin mgraesslin () kde org Date: Overview ======== Plasma's lock screen implementation uses Look and Feel packages containing QtQuick source files to style the lock screen. Look and Feel packages can be selected by the user using a system settings module. A user could download a Look and Feel package and install it locally. The QtQuick view allows network interaction, thus a malicious Look and Feel package could collect the user's passwords on all systems it's installed to. Similarly any application running under the given user could install a different Look and Feel package to gain the user's password. Impact ====== If a user downloaded and installed a Look and Feel package the user's password might be sent to the author of the Look and Feel package. Workaround ========== Use one of the default provided Look and Feel packages. Solution ======== For plasma-workspace upgrade to Plasma 5.1.95 or apply the following patch: http://commits.kde.org/plasma-workspace/0a9cea625dfcb068fb03a4deab7430b1c4ad8aa4 Credits ======= Thanks to Martin Gräßlin for finding and fixing the issue. From http://seclists.org/oss-sec/2015/q1/att-153/screenlocker-input.txt: KDE Project Security Advisory ============================= Title: kde-workspace, plasma-workspace: X11 clients can eavesdrop input events while screen is locked Risk Rating: Low CVE: Platforms: X11 Versions: kde-workspace >= 4.2.0, plasma-workspace < 5.1.95 Author: Martin Gräßlin mgraesslin () kde org Date: Overview ======== Plasma ScreenLocker deamon (ksld) as part of ksmserver grabs keyboard and mouse to ensure that no other X11 client is able to read the input while the screen is locked. All input events are sent from ksld to the greeter process showing the unlocking UI. The vulnerability allows any X11 client (either locally or remote) to gain access to all input events entered while the screen is locked. Impact ====== Any application having access to the X server is able to sniff the user's password. An application connected to the X server might be run by a different user or even be a remote application. Workaround ========== To reduce the risk it's recommended to not allow X11 clients from other user accounts on the local system or remote X11 clients to connect to the X server. On kde-workspace using the "Screen locker type" "Screen saver" instead of the default "Simple locker" can circumvent the problem. In general disabling the screen locker also circumvents the problem. Solution ======== For plasma-workspace upgrade to Plasma 5.1.95 or apply the following patch: http://commits.kde.org/plasma-workspace/0ac34dca5d6a6ea8fc5c06e1dae96fb1ad4ce7c9 Credits ======= Thanks to Martin Gräßlin for finding and fixing the issue @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Only the second issue affects packages in the tree, and I do not expect any patch to be provided by upstream.
CVE-2015-1308 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1308): kde-workspace 4.2.0 and plasma-workspace before 5.1.95 allows remote attackers to obtain input events, and consequently obtain passwords, by leveraging access to the X server when the screen is locked.
This has been gone from the tree for quite some time. GLSA Vote: No
Plasma 4 removed from tree. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7f71cc2968e08d586ccd24ad34c34230ddf37f62
Repository is clean, all done.
