1183710 – (CVE-2015-1308) CVE-2015-1308 kde-workspace: X11 clients can eavesdrop input events while screen is locked

Bug 1183710 (CVE-2015-1308) - CVE-2015-1308 kde-workspace: X11 clients can eavesdrop input events while screen is locked

Summary: CVE-2015-1308 kde-workspace: X11 clients can eavesdrop input events while scr...

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2015-1308
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1183712
Blocks:	1183711
TreeView+	depends on / blocked

Reported:	2015-01-19 14:30 UTC by Martin Prpič
Modified:	2019-09-29 13:27 UTC (History)
CC List:	10 users (show)
Fixed In Version:	kde-workspace 4.2.0
Clone Of:
Environment:
Last Closed:	2015-02-27 05:28:45 UTC
Embargoed:

Attachments	(Terms of Use)

Description Martin Prpič 2015-01-19 14:30:05 UTC

The following issue was found in KDE workspace:

Overview
========

Plasma ScreenLocker deamon (ksld) as part of ksmserver grabs keyboard and mouse to ensure that no other X11 client is able to read the input while the screen is locked. All input events are sent from ksld to the greeter process showing the unlocking UI.

The vulnerability allows any X11 client (either locally or remote) to gain access to all input events entered while the screen is locked.

Impact
======

Any application having access to the X server is able to sniff the user's password. An application connected to the X server might be run by a different user or even be a remote application.

Workaround
==========

To reduce the risk it's recommended to not allow X11 clients from other user accounts on the local system or remote X11 clients to connect to the X server.

On kde-workspace using the "Screen locker type" "Screen saver" instead of the default "Simple locker" can circumvent the problem.

In general disabling the screen locker also circumvents the problem.

Solution
========

For plasma-workspace upgrade to Plasma 5.1.95 or apply the following patch:

http://commits.kde.org/plasma-workspace/0ac34dca5d6a6ea8fc5c06e1dae96fb1ad4ce7c9

Comment 1 Martin Prpič 2015-01-19 14:30:38 UTC

CVE request: http://seclists.org/oss-sec/2015/q1/153

Comment 2 Martin Prpič 2015-01-19 14:31:57 UTC

Created kde-workspace tracking bugs for this issue:

Affects: fedora-all [bug 1183712]

Comment 3 Rex Dieter 2015-01-19 14:45:24 UTC

I'll poke upstream to find out why kde-workspace has no fix (afaict)

Comment 4 Than Ngo 2015-01-19 15:32:50 UTC

(In reply to Rex Dieter from comment #3)
> I'll poke upstream to find out why kde-workspace has no fix (afaict)

i already sent email to martin Gräßlin and asked him if there's a backport patch for kde-workspace. Still waiting.

Comment 5 Than Ngo 2015-01-20 11:41:43 UTC

i got the reply from martin yesterday. it seems there's no plan to provide the fix for old kde-workspace. i attached his reply.


>Hi Than,
>
>no there is no plan to back port it to kde-workspace. This would require lots 
>of work for questionable results. In particular the screen locker in kde-
>workspace allows to be quit through DBus (which is apparently considered a 
>feature). So one could just end the screen locker and start a fake locker 
>without going the complicated attack I found.
>
>Best Regards
>Martin Gräßlin

Note You need to log in before you can comment on or make changes to this bug.