Bug 1344022 (CVE-2016-3100)

Summary: CVE-2016-3100 kde: world readable Xauthority file exposes cookie credentials
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: jgrulich, me, rdieter, than
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-08 14:28:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1312060    

Description Adam Mariš 2016-06-08 14:27:15 UTC 
It was found that kdeinit5 creates /tmp/xauth-xxx-_y with inappropriate permission, which are 644 instead of 600. This can be exploited by stealing X11 cookie and running X11 keylogger. Malicious user is able to read key strokes of a different user which might be a sudo user. If attacker can log key events of a sudo user then it can lead to local privilege escalation.

Upstream bugs:

https://bugs.kde.org/show_bug.cgi?id=358593
https://bugs.kde.org/show_bug.cgi?id=363140

Upstream patches:

https://quickgit.kde.org/?p=kinit.git&a=commitdiff&h=dece8fd89979cd1a86c03bcaceef6e9221e8d8cd
https://quickgit.kde.org/?p=kinit.git&a=commitdiff&h=72f3702dbe6cf15c06dc13da2c99c864e9022a58
Comment 1 Adam Mariš 2016-06-08 14:27:26 UTC 
Acknowledgments:

Name: Stephan Mueller (Atsec)
Comment 2 Adam Mariš 2016-06-22 07:31:17 UTC 
External References:

https://www.kde.org/info/security/advisory-20160621-1.txt