World readable X11 Cookie key logger

Bug #1595507 reported by Philip Muškovac
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kinit (Ubuntu)
Fix Released
High
Philip Muškovac
Xenial
Fix Released
High
Steve Beattie

Bug Description

KDE Project Security Advisory
=============================

Title: kinit: World readable X11 Cookie key logger
Risk Rating: Important
CVE: CVE-2016-3100
Platforms: X11
Versions: kinit < 5.23
Author: Siddharth Sharma <email address hidden>
Date: 21 June 2016

Overview
========

An authorized user can log key events of other user by accessing
world-readable X11 cookie

Impact
======

Pre-authenticated attacker can read all key events by the users logged on
to the system.

Workaround
==========

None

Solution
========

For kinit apply the following patches:
https://quickgit.kde.org/?p=kinit.git&a=commitdiff&h=dece8fd89979cd1a86c03bcaceef6e9221e8d8cd
https://quickgit.kde.org/?p=kinit.git&a=commitdiff&h=72f3702dbe6cf15c06dc13da2c99c864e9022a58

References
==========

https://bugs.kde.org/show_bug.cgi?id=358593
https://bugs.kde.org/show_bug.cgi?id=363140

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: kinit 5.18.0-0ubuntu1
ProcVersionSignature: Ubuntu 4.4.0-24.43-generic 4.4.10
Uname: Linux 4.4.0-24-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.1
Architecture: amd64
CurrentDesktop: KDE
Date: Thu Jun 23 14:06:42 2016
InstallationDate: Installed on 2016-02-11 (132 days ago)
InstallationMedia: Ubuntu 14.04.3 LTS "Trusty Tahr" - Beta amd64 (20150805)
SourcePackage: kinit
UpgradeStatus: No upgrade log present (probably fresh install)

CVE References

Revision history for this message
Philip Muškovac (yofel) wrote :
Changed in kinit (Ubuntu):
assignee: nobody → Philip Muškovac (yofel)
importance: Undecided → High
Changed in kinit (Ubuntu Xenial):
assignee: nobody → Philip Muškovac (yofel)
importance: Undecided → High
Philip Muškovac (yofel)
Changed in kinit (Ubuntu):
status: New → In Progress
Changed in kinit (Ubuntu Xenial):
status: New → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kinit - 5.22.0-0ubuntu2

---------------
kinit (5.22.0-0ubuntu2) yakkety; urgency=medium

  * Security update CVE-2016-3100 (LP: #1595507)
    - add upstream_permissions-of-tmp-xauth-xxx-_y.diff
    - add upstream_Fix-race-in-which-the-file-containing-the-X11-cookie.diff

 -- Philip Muškovac <email address hidden> Thu, 23 Jun 2016 20:03:00 +0200

Changed in kinit (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Martin Pitt (pitti) wrote :

This is currently in the SRU queue, but shouldn't this go via -security?

information type: Public → Private Security
information type: Private Security → Public Security
Steve Beattie (sbeattie)
Changed in kinit (Ubuntu Xenial):
assignee: Philip Muškovac (yofel) → Steve Beattie (sbeattie)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kinit - 5.18.0-0ubuntu1.1

---------------
kinit (5.18.0-0ubuntu1.1) xenial-security; urgency=medium

  * SECURITY UPDATE: World readable X11 Cookie permissions problem
    (LP: #1595507)
    - add upstream_permissions-of-tmp-xauth-xxx-_y.diff
    - add upstream_Fix-race-in-which-the-file-containing-the-X11-cookie.diff
    - CVE-2016-3100
  * Update the Vcs URLs now that the repositories are hosted on
    Launchpad

 -- Philip Muškovac <email address hidden> Fri, 24 Jun 2016 15:56:13 -0700

Changed in kinit (Ubuntu Xenial):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers