Public bug reported: KDE Project Security Advisory =============================
Title: kinit: World readable X11 Cookie key logger Risk Rating: Important CVE: CVE-2016-3100 Platforms: X11 Versions: kinit < 5.23 Author: Siddharth Sharma siddharth....@gmail.com Date: 21 June 2016 Overview ======== An authorized user can log key events of other user by accessing world-readable X11 cookie Impact ====== Pre-authenticated attacker can read all key events by the users logged on to the system. Workaround ========== None Solution ======== For kinit apply the following patches: https://quickgit.kde.org/?p=kinit.git&a=commitdiff&h=dece8fd89979cd1a86c03bcaceef6e9221e8d8cd https://quickgit.kde.org/?p=kinit.git&a=commitdiff&h=72f3702dbe6cf15c06dc13da2c99c864e9022a58 References ========== https://bugs.kde.org/show_bug.cgi?id=358593 https://bugs.kde.org/show_bug.cgi?id=363140 ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: kinit 5.18.0-0ubuntu1 ProcVersionSignature: Ubuntu 4.4.0-24.43-generic 4.4.10 Uname: Linux 4.4.0-24-generic x86_64 ApportVersion: 2.20.1-0ubuntu2.1 Architecture: amd64 CurrentDesktop: KDE Date: Thu Jun 23 14:06:42 2016 InstallationDate: Installed on 2016-02-11 (132 days ago) InstallationMedia: Ubuntu 14.04.3 LTS "Trusty Tahr" - Beta amd64 (20150805) SourcePackage: kinit UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: kinit (Ubuntu) Importance: High Assignee: Philip Muškovac (yofel) Status: New ** Affects: kinit (Ubuntu Xenial) Importance: High Assignee: Philip Muškovac (yofel) Status: New ** Tags: amd64 apport-bug xenial ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-3100 ** Changed in: kinit (Ubuntu) Importance: Undecided => High ** Changed in: kinit (Ubuntu) Assignee: (unassigned) => Philip Muškovac (yofel) ** Also affects: kinit (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: kinit (Ubuntu Xenial) Importance: Undecided => High ** Changed in: kinit (Ubuntu Xenial) Assignee: (unassigned) => Philip Muškovac (yofel) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1595507 Title: World readable X11 Cookie key logger To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kinit/+bug/1595507/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs