Processed: Re: Bug#799186: konqueror: now comes with built-in keylogger

[Debian Bug Tracking System]

Processing commands for cont...@bugs.debian.org:

> retitle 799186 kdelibs/ktextedit: keypresses are logged
Bug #799186 [konqueror] konqueror: now comes with built-in keylogger
Changed Bug title to 'kdelibs/ktextedit: keypresses are logged' from 
'konqueror: now comes with built-in keylogger'
> reassign 799186 libkdeui5 kde4libs/4:4.14.10-3
Bug #799186 [konqueror] kdelibs/ktextedit: keypresses are logged
Bug reassigned from package 'konqueror' to 'libkdeui5'.
No longer marked as found in versions kde-baseapps/4:15.04.3-1.
Ignoring request to alter fixed versions of bug #799186 to the same values 
previously set
Bug #799186 [libkdeui5] kdelibs/ktextedit: keypresses are logged
Marked as found in versions kde4libs/4:4.14.10-3.
> thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
799186: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=799186
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#799186: konqueror: now comes with built-in keylogger

[Luigi Toscano]

retitle 799186 kdelibs/ktextedit: keypresses are logged
reassign 799186 libkdeui5 kde4libs/4:4.14.10-3
thanks

On Wed, 16 Sep 2015 23:04:24 +0200 M4:4.14.13-1artin Steigerwald
 wrote:
> Am Mittwoch, 16. September 2015, 22:55:23 CEST schrieb Dominik George:
> > > I think this is an upstream bug – of course I´d go for fixing it in 
> > > Debian
> > > without waiting for upstream fix.
> > > 
> > > Thorsten, will you report upstream as well?
> > 
> > I could do, because I am active in the KDE bugtracker.
> 
> Sure, go ahead. It might be wise to search for the kdelibs4.11 fix first 
> though, see my last mail to the bug report.
> 

I didn't find an upstream bug, but this issue was fixed in kdelibs commit
150d983674e9d61e2809316e062e5d91c7855609, see:

https://quickgit.kde.org/?p=kdelibs.git=commit=150d983674e9d61e2809316e062e5d91c7855609

This commit is part of any kdelibs >= 4.14.11. Right now 4.14.13 is available
in sid and testing.

I also tried the steps described above (go to a website with a text area, like
pastebin.com, using the KHTML part) and indeed no keys are logged anymore.

Therefore I'm going to close this bug.

Ciao
-- 
Luigi

Bug#799186: konqueror: now comes with built-in keylogger

[Thorsten Glaser]

Package: konqueror
Version: 4:15.04.3-1
Severity: grave
Tags: security
Justification: user security hole

I was just typing a geocaching log in a konqueror that popped up
when activating a link in a mail (to the cache listing) and noticed
small decimal digits scrolling by, one on a line, in the xterm that
was not fully hidden from view by the konqueror window. Sometimes,
the number was 32. I was on full alert.

Natureshadow managed to reproduce this on sid amd64, so it’s not an
x32 issue, although he had to switch back to KHTML from Webkit (via
menu V̲iew → V̲iew Mode → K̲HTML) to reproduce it.

Shortest reproducer, even if using a proprietary service:

$ konqueror pastebin.com

Then just start typing (after switching to KHTML if needed).

-- System Information:
Debian Release: stretch/sid
  APT prefers unreleased
  APT policy: (500, 'unreleased'), (500, 'buildd-unstable'), (500, 'unstable')
Architecture: x32 (x86_64)
Foreign Architectures: i386, amd64

Kernel: Linux 4.1.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/lksh
Init: sysvinit (via /sbin/init)

Versions of packages konqueror depends on:
ii  install-info6.0.0.dfsg.1-3
ii  kde-baseapps-bin4:15.04.3-1
ii  kde-baseapps-data   4:15.04.3-1
ii  kde-runtime 4:15.08.0-2
ii  libc6   2.19-20
ii  libkactivities6 4:4.13.3-1
ii  libkcmutils44:4.14.10-3
ii  libkde3support4 4:4.14.10-3
ii  libkdecore5 4:4.14.10-3
ii  libkdesu5   4:4.14.10-3
ii  libkdeui5   4:4.14.10-3
ii  libkfile4   4:4.14.10-3
ii  libkhtml5   4:4.14.10-3
ii  libkio5 4:4.14.10-3
ii  libkonq5abi14:15.04.3-1
ii  libkonqsidebarplugin4a  4:15.04.3-1
ii  libkparts4  4:4.14.10-3
ii  libqt4-dbus 4:4.8.7+dfsg-3
ii  libqt4-qt3support   4:4.8.7+dfsg-3
ii  libqt4-xml  4:4.8.7+dfsg-3
ii  libqtcore4  4:4.8.7+dfsg-3
ii  libqtgui4   4:4.8.7+dfsg-3
ii  libstdc++6  5.2.1-17
ii  libx11-62:1.6.3-1

Versions of packages konqueror recommends:
ii  dolphin  4:15.04.3-1
ii  kfind4:15.04.3-1
pn  konqueror-nsplugins  
ii  kpart-webkit 1.3.4-2

Versions of packages konqueror suggests:
ii  konq-plugins  4:15.04.3-1

-- no debconf information

Bug#799186: konqueror: now comes with built-in keylogger

[Dominik George]

> I was just typing a geocaching log in a konqueror that popped up
> when activating a link in a mail (to the cache listing) and noticed
> small decimal digits scrolling by, one on a line, in the xterm that
> was not fully hidden from view by the konqueror window. Sometimes,
> the number was 32. I was on full alert.
> 
> Natureshadow managed to reproduce this on sid amd64, so it’s not an
> x32 issue, although he had to switch back to KHTML from Webkit (via
> menu V̲iew → V̲iew Mode → K̲HTML) to reproduce it.

Confirmed, as well as the fact that this of course goes to .xsession-errors, 
which delivers the key log readily to anyone asking.

-nik

-- 
PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17  FD26 B79A 3C16 A0C4 F296

Dominik George · Mobil: +49-151-61623918

Teckids e.V. · FrOSCon e.V. · OpenRheinRuhr e.V.
Fellowship of the FSFE · Piratenpartei Deutschland
Opencaching Deutschland e.V. · Debian Contributor

LPIC-3 Linux Enterprise Professional (Security)

signature.asc
Description: This is a digitally signed message part.

Bug#799186: konqueror: now comes with built-in keylogger

[Martin Steigerwald]

Am Mittwoch, 16. September 2015, 18:20:40 CEST schrieb Dominik George:
> > I was just typing a geocaching log in a konqueror that popped up
> > when activating a link in a mail (to the cache listing) and noticed
> > small decimal digits scrolling by, one on a line, in the xterm that
> > was not fully hidden from view by the konqueror window. Sometimes,
> > the number was 32. I was on full alert.
> > 
> > Natureshadow managed to reproduce this on sid amd64, so it’s not an
> > x32 issue, although he had to switch back to KHTML from Webkit (via
> > menu V̲iew → V̲iew Mode → K̲HTML) to reproduce it.
> 
> Confirmed, as well as the fact that this of course goes to .xsession-errors,
> which delivers the key log readily to anyone asking.

Confirmed.

I think this is an upstream bug – of course I´d go for fixing it in Debian 
without waiting for upstream fix.

Thorsten, will you report upstream as well?

Thanks,
-- 
Martin

Bug#799186: konqueror: now comes with built-in keylogger

[Dominik George]

> I think this is an upstream bug – of course I´d go for fixing it in Debian
> without waiting for upstream fix.
> 
> Thorsten, will you report upstream as well?

I could do, because I am active in the KDE bugtracker.

-nik

-- 
PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17  FD26 B79A 3C16 A0C4 F296

Dominik George · Mobil: +49-151-61623918

Teckids e.V. · FrOSCon e.V. · OpenRheinRuhr e.V.
Fellowship of the FSFE · Piratenpartei Deutschland
Opencaching Deutschland e.V. · Debian Contributor

LPIC-3 Linux Enterprise Professional (Security)

signature.asc
Description: This is a digitally signed message part.

Bug#799186: konqueror: now comes with built-in keylogger

[Martin Steigerwald]

Am Mittwoch, 16. September 2015, 22:55:23 CEST schrieb Dominik George:
> > I think this is an upstream bug – of course I´d go for fixing it in Debian
> > without waiting for upstream fix.
> > 
> > Thorsten, will you report upstream as well?
> 
> I could do, because I am active in the KDE bugtracker.

Sure, go ahead. It might be wise to search for the kdelibs4.11 fix first 
though, see my last mail to the bug report.

Thank you,
-- 
Martin