Package: konqueror Version: 4:15.04.3-1 Severity: grave Tags: security Justification: user security hole
I was just typing a geocaching log in a konqueror that popped up when activating a link in a mail (to the cache listing) and noticed small decimal digits scrolling by, one on a line, in the xterm that was not fully hidden from view by the konqueror window. Sometimes, the number was 32. I was on full alert. Natureshadow managed to reproduce this on sid amd64, so it’s not an x32 issue, although he had to switch back to KHTML from Webkit (via menu V̲iew → V̲iew Mode → K̲HTML) to reproduce it. Shortest reproducer, even if using a proprietary service: $ konqueror pastebin.com Then just start typing (after switching to KHTML if needed). -- System Information: Debian Release: stretch/sid APT prefers unreleased APT policy: (500, 'unreleased'), (500, 'buildd-unstable'), (500, 'unstable') Architecture: x32 (x86_64) Foreign Architectures: i386, amd64 Kernel: Linux 4.1.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/lksh Init: sysvinit (via /sbin/init) Versions of packages konqueror depends on: ii install-info 6.0.0.dfsg.1-3 ii kde-baseapps-bin 4:15.04.3-1 ii kde-baseapps-data 4:15.04.3-1 ii kde-runtime 4:15.08.0-2 ii libc6 2.19-20 ii libkactivities6 4:4.13.3-1 ii libkcmutils4 4:4.14.10-3 ii libkde3support4 4:4.14.10-3 ii libkdecore5 4:4.14.10-3 ii libkdesu5 4:4.14.10-3 ii libkdeui5 4:4.14.10-3 ii libkfile4 4:4.14.10-3 ii libkhtml5 4:4.14.10-3 ii libkio5 4:4.14.10-3 ii libkonq5abi1 4:15.04.3-1 ii libkonqsidebarplugin4a 4:15.04.3-1 ii libkparts4 4:4.14.10-3 ii libqt4-dbus 4:4.8.7+dfsg-3 ii libqt4-qt3support 4:4.8.7+dfsg-3 ii libqt4-xml 4:4.8.7+dfsg-3 ii libqtcore4 4:4.8.7+dfsg-3 ii libqtgui4 4:4.8.7+dfsg-3 ii libstdc++6 5.2.1-17 ii libx11-6 2:1.6.3-1 Versions of packages konqueror recommends: ii dolphin 4:15.04.3-1 ii kfind 4:15.04.3-1 pn konqueror-nsplugins <none> ii kpart-webkit 1.3.4-2 Versions of packages konqueror suggests: ii konq-plugins 4:15.04.3-1 -- no debconf information