Bug 1183710 (CVE-2015-1308)

Summary: CVE-2015-1308 kde-workspace: X11 clients can eavesdrop input events while screen is locked
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: dvratil, jgrulich, jreznik, jrusnack, kevin, ltinkl, mbriza, rdieter, rnovacek, than
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kde-workspace 4.2.0 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-27 05:28:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1183712    
Bug Blocks: 1183711    

Description Martin Prpič 2015-01-19 14:30:05 UTC 
The following issue was found in KDE workspace:

Overview
========

Plasma ScreenLocker deamon (ksld) as part of ksmserver grabs keyboard and mouse to ensure that no other X11 client is able to read the input while the screen is locked. All input events are sent from ksld to the greeter process showing the unlocking UI.

The vulnerability allows any X11 client (either locally or remote) to gain access to all input events entered while the screen is locked.

Impact
======

Any application having access to the X server is able to sniff the user's password. An application connected to the X server might be run by a different user or even be a remote application.

Workaround
==========

To reduce the risk it's recommended to not allow X11 clients from other user accounts on the local system or remote X11 clients to connect to the X server.

On kde-workspace using the "Screen locker type" "Screen saver" instead of the default "Simple locker" can circumvent the problem.

In general disabling the screen locker also circumvents the problem.

Solution
========

For plasma-workspace upgrade to Plasma 5.1.95 or apply the following patch:

http://commits.kde.org/plasma-workspace/0ac34dca5d6a6ea8fc5c06e1dae96fb1ad4ce7c9
Comment 1 Martin Prpič 2015-01-19 14:30:38 UTC 
CVE request: http://seclists.org/oss-sec/2015/q1/153
Comment 2 Martin Prpič 2015-01-19 14:31:57 UTC 
Created kde-workspace tracking bugs for this issue:

Affects: fedora-all [bug 1183712]
Comment 3 Rex Dieter 2015-01-19 14:45:24 UTC 
I'll poke upstream to find out why kde-workspace has no fix (afaict)
Comment 4 Than Ngo 2015-01-19 15:32:50 UTC 
(In reply to Rex Dieter from comment #3)
> I'll poke upstream to find out why kde-workspace has no fix (afaict)

i already sent email to martin Gräßlin and asked him if there's a backport patch for kde-workspace. Still waiting.
Comment 5 Than Ngo 2015-01-20 11:41:43 UTC 
i got the reply from martin yesterday. it seems there's no plan to provide the fix for old kde-workspace. i attached his reply.


>Hi Than,
>
>no there is no plan to back port it to kde-workspace. This would require lots 
>of work for questionable results. In particular the screen locker in kde-
>workspace allows to be quit through DBus (which is apparently considered a 
>feature). So one could just end the screen locker and start a fake locker 
>without going the complicated attack I found.
>
>Best Regards
>Martin Gräßlin