Bug 1907782

Summary: Disable dangerous key logging with librime
Product: [Fedora] Fedora Reporter: Alice McLafferty <xnwrsp>
Component: librimeAssignee: Peng Wu <pwu>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 33CC: i18n-bugs, petersen, pwu
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: librime-1.5.3-3.fc32 Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-01-01 01:24:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alice McLafferty 2020-12-15 08:38:15 UTC 
Description of problem:
A very verbose log is being saved at /tmp/rime.fcitx-rime.INFO which can become very large and contains everything the user has typed. Even worse, permission set on this file is 755 which means everyone can read this file and see exactly what the user has typed.

Version-Release number of selected component (if applicable):
1.5.3

How reproducible:
Always

Steps to Reproduce:
1. add librime in fcitx
2. switch to it, and try to type something
3. read the file under /tmp/rime.fcitx-rime.INFO (which is a symlink to the actual log file)

Actual results:
Confidential data is saved to disk without user consent.

Expected results:
librime should not log anything that contains user input

Additional info:
I do not know where the cmake macro is from in the rpm spec but it should have the flag `DCMAKE_BUILD_TYPE=Release` set. Relevant issue: https://github.com/rime/librime/issues/254#issuecomment-625155952

Relevant bug reports:
https://bugs.gentoo.org/695702
Comment 1 Fedora Update System 2020-12-23 06:12:54 UTC 
FEDORA-2020-a3347ff2f9 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-a3347ff2f9
Comment 2 Fedora Update System 2020-12-24 01:09:57 UTC 
FEDORA-2020-a3347ff2f9 has been pushed to the Fedora 32 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-a3347ff2f9`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-a3347ff2f9

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 3 Alice McLafferty 2020-12-24 15:40:30 UTC 
This issue has been fixed with FEDORA-2020-032ae4123a. Thank you.
Comment 4 Fedora Update System 2021-01-01 01:24:29 UTC 
FEDORA-2020-a3347ff2f9 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.