World readable X11 Cookie key logger
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
kinit (Ubuntu) |
Fix Released
|
High
|
Philip Muškovac | ||
Xenial |
Fix Released
|
High
|
Steve Beattie |
Bug Description
KDE Project Security Advisory
=======
Title: kinit: World readable X11 Cookie key logger
Risk Rating: Important
CVE: CVE-2016-3100
Platforms: X11
Versions: kinit < 5.23
Author: Siddharth Sharma <email address hidden>
Date: 21 June 2016
Overview
========
An authorized user can log key events of other user by accessing
world-readable X11 cookie
Impact
======
Pre-authenticated attacker can read all key events by the users logged on
to the system.
Workaround
==========
None
Solution
========
For kinit apply the following patches:
https:/
https:/
References
==========
https:/
https:/
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: kinit 5.18.0-0ubuntu1
ProcVersionSign
Uname: Linux 4.4.0-24-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.1
Architecture: amd64
CurrentDesktop: KDE
Date: Thu Jun 23 14:06:42 2016
InstallationDate: Installed on 2016-02-11 (132 days ago)
InstallationMedia: Ubuntu 14.04.3 LTS "Trusty Tahr" - Beta amd64 (20150805)
SourcePackage: kinit
UpgradeStatus: No upgrade log present (probably fresh install)
CVE References
Changed in kinit (Ubuntu): | |
status: | New → In Progress |
Changed in kinit (Ubuntu Xenial): | |
status: | New → In Progress |
Changed in kinit (Ubuntu Xenial): | |
assignee: | Philip Muškovac (yofel) → Steve Beattie (sbeattie) |
This bug was fixed in the package kinit - 5.22.0-0ubuntu2
---------------
kinit (5.22.0-0ubuntu2) yakkety; urgency=medium
* Security update CVE-2016-3100 (LP: #1595507) permissions- of-tmp- xauth-xxx- _y.diff Fix-race- in-which- the-file- containing- the-X11- cookie. diff
- add upstream_
- add upstream_
-- Philip Muškovac <email address hidden> Thu, 23 Jun 2016 20:03:00 +0200