Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via or IRC
Bug 686422 (CVE-2018-20839) - <sys-apps/systemd-243: unauthorized disclosure of information (VT kbd reset check)
Summary: <sys-apps/systemd-243: unauthorized disclosure of information (VT kbd reset c...
Alias: CVE-2018-20839
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: A4 [noglsa cve]
Depends on:
Reported: 2019-05-20 23:58 UTC by D'juan McDonald (domhnall)
Modified: 2020-05-04 01:11 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2019-05-20 23:58:38 UTC

systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka current keyboard mode) check is mishandled.


@maintainer(s): Milestone for v243 release

Gentoo Security Padawan
Comment 1 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-05-21 00:22:10 UTC
Commit is upstream in master:
Comment 2 Mike Gilbert gentoo-dev 2019-07-10 18:10:18 UTC
Waiting for this to be fixed.
Comment 3 Sam James gentoo-dev Security 2020-04-26 03:27:04 UTC
(In reply to Mike Gilbert from comment #2)
> Waiting for this to be fixed.

Fixed in

... which seems to have landed in v243. So tree is clean?