[Desktop-packages] [Bug 1826273] Re: Potential Side-channel during Graphics Rendering

Thu, 25 Apr 2019 11:50:53 -0700 

** Information type changed from Private Security to Public Security

** Changed in: onboard (Ubuntu)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to onboard in Ubuntu.
https://bugs.launchpad.net/bugs/1826273

Title:
  Potential Side-channel during Graphics Rendering

Status in onboard package in Ubuntu:
  Confirmed

Bug description:
  Dear Ubuntu Development Team,

  We're a group of researchers from University of California Riverside.
  We recently discovered that the Onboard keyboard application takes a
  variable amount of time to render the highlight effect depending on
  the input character. As a result, an unprivileged attacker could
  potentially utilize flush+reload cache side-channel attack to measure
  the execution time of said functions to infer users' text input. We
  verified this using the Onboard 1.2.0-0ubuntu5 that comes with Ubuntu
  16.04.03 LTS.

  The side-channel resides in Cairo graphics library. We contacted the
  Cairo development team and they instruct us to contact you instead.

  For detailed information please refer to our paper in the link below.
  We would be very happy to work with you to address this issue. Please
  let us know what you think.

  https://www.cs.ucr.edu/~zhiyunq/pub/ndss19_cache_keystrokes.pdf

  Sincerely,
  Daimeng Wang

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: onboard 1.2.0-0ubuntu5
  ProcVersionSignature: Ubuntu 4.4.0-101.124-generic 4.4.95
  Uname: Linux 4.4.0-101-generic x86_64
  NonfreeKernelModules: nvidia_uvm nvidia_drm nvidia_modeset nvidia
  ApportVersion: 2.20.1-0ubuntu2.13
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Wed Apr 24 14:19:48 2019
  InstallationDate: Installed on 2016-01-07 (1203 days ago)
  InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417)
  SourcePackage: onboard
  UpgradeStatus: Upgraded to xenial on 2017-11-21 (519 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/onboard/+bug/1826273/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to