Bug#799186: konqueror: now comes with built-in keylogger

Wed, 16 Sep 2015 09:19:06 -0700 

Package: konqueror
Version: 4:15.04.3-1
Severity: grave
Tags: security
Justification: user security hole

I was just typing a geocaching log in a konqueror that popped up
when activating a link in a mail (to the cache listing) and noticed
small decimal digits scrolling by, one on a line, in the xterm that
was not fully hidden from view by the konqueror window. Sometimes,
the number was 32. I was on full alert.

Natureshadow managed to reproduce this on sid amd64, so it’s not an
x32 issue, although he had to switch back to KHTML from Webkit (via
menu V̲iew → V̲iew Mode → K̲HTML) to reproduce it.

Shortest reproducer, even if using a proprietary service:

$ konqueror pastebin.com

Then just start typing (after switching to KHTML if needed).

-- System Information:
Debian Release: stretch/sid
  APT prefers unreleased
  APT policy: (500, 'unreleased'), (500, 'buildd-unstable'), (500, 'unstable')
Architecture: x32 (x86_64)
Foreign Architectures: i386, amd64

Kernel: Linux 4.1.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/lksh
Init: sysvinit (via /sbin/init)

Versions of packages konqueror depends on:
ii  install-info            6.0.0.dfsg.1-3
ii  kde-baseapps-bin        4:15.04.3-1
ii  kde-baseapps-data       4:15.04.3-1
ii  kde-runtime             4:15.08.0-2
ii  libc6                   2.19-20
ii  libkactivities6         4:4.13.3-1
ii  libkcmutils4            4:4.14.10-3
ii  libkde3support4         4:4.14.10-3
ii  libkdecore5             4:4.14.10-3
ii  libkdesu5               4:4.14.10-3
ii  libkdeui5               4:4.14.10-3
ii  libkfile4               4:4.14.10-3
ii  libkhtml5               4:4.14.10-3
ii  libkio5                 4:4.14.10-3
ii  libkonq5abi1            4:15.04.3-1
ii  libkonqsidebarplugin4a  4:15.04.3-1
ii  libkparts4              4:4.14.10-3
ii  libqt4-dbus             4:4.8.7+dfsg-3
ii  libqt4-qt3support       4:4.8.7+dfsg-3
ii  libqt4-xml              4:4.8.7+dfsg-3
ii  libqtcore4              4:4.8.7+dfsg-3
ii  libqtgui4               4:4.8.7+dfsg-3
ii  libstdc++6              5.2.1-17
ii  libx11-6                2:1.6.3-1

Versions of packages konqueror recommends:
ii  dolphin              4:15.04.3-1
ii  kfind                4:15.04.3-1
pn  konqueror-nsplugins  <none>
ii  kpart-webkit         1.3.4-2

Versions of packages konqueror suggests:
ii  konq-plugins  4:15.04.3-1

-- no debconf information

Reply via email to