Processed: Re: Bug#799186: konqueror: now comes with built-in keylogger
Processing commands for cont...@bugs.debian.org: > retitle 799186 kdelibs/ktextedit: keypresses are logged Bug #799186 [konqueror] konqueror: now comes with built-in keylogger Changed Bug title to 'kdelibs/ktextedit: keypresses are logged' from 'konqueror: now comes with built-in keylogger' > reassign 799186 libkdeui5 kde4libs/4:4.14.10-3 Bug #799186 [konqueror] kdelibs/ktextedit: keypresses are logged Bug reassigned from package 'konqueror' to 'libkdeui5'. No longer marked as found in versions kde-baseapps/4:15.04.3-1. Ignoring request to alter fixed versions of bug #799186 to the same values previously set Bug #799186 [libkdeui5] kdelibs/ktextedit: keypresses are logged Marked as found in versions kde4libs/4:4.14.10-3. > thanks Stopping processing here. Please contact me if you need assistance. -- 799186: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=799186 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#799186: konqueror: now comes with built-in keylogger
retitle 799186 kdelibs/ktextedit: keypresses are logged reassign 799186 libkdeui5 kde4libs/4:4.14.10-3 thanks On Wed, 16 Sep 2015 23:04:24 +0200 M4:4.14.13-1artin Steigerwaldwrote: > Am Mittwoch, 16. September 2015, 22:55:23 CEST schrieb Dominik George: > > > I think this is an upstream bug â of course I´d go for fixing it in > > > Debian > > > without waiting for upstream fix. > > > > > > Thorsten, will you report upstream as well? > > > > I could do, because I am active in the KDE bugtracker. > > Sure, go ahead. It might be wise to search for the kdelibs4.11 fix first > though, see my last mail to the bug report. > I didn't find an upstream bug, but this issue was fixed in kdelibs commit 150d983674e9d61e2809316e062e5d91c7855609, see: https://quickgit.kde.org/?p=kdelibs.git=commit=150d983674e9d61e2809316e062e5d91c7855609 This commit is part of any kdelibs >= 4.14.11. Right now 4.14.13 is available in sid and testing. I also tried the steps described above (go to a website with a text area, like pastebin.com, using the KHTML part) and indeed no keys are logged anymore. Therefore I'm going to close this bug. Ciao -- Luigi
Bug#799186: konqueror: now comes with built-in keylogger
Package: konqueror Version: 4:15.04.3-1 Severity: grave Tags: security Justification: user security hole I was just typing a geocaching log in a konqueror that popped up when activating a link in a mail (to the cache listing) and noticed small decimal digits scrolling by, one on a line, in the xterm that was not fully hidden from view by the konqueror window. Sometimes, the number was 32. I was on full alert. Natureshadow managed to reproduce this on sid amd64, so it’s not an x32 issue, although he had to switch back to KHTML from Webkit (via menu V̲iew → V̲iew Mode → K̲HTML) to reproduce it. Shortest reproducer, even if using a proprietary service: $ konqueror pastebin.com Then just start typing (after switching to KHTML if needed). -- System Information: Debian Release: stretch/sid APT prefers unreleased APT policy: (500, 'unreleased'), (500, 'buildd-unstable'), (500, 'unstable') Architecture: x32 (x86_64) Foreign Architectures: i386, amd64 Kernel: Linux 4.1.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/lksh Init: sysvinit (via /sbin/init) Versions of packages konqueror depends on: ii install-info6.0.0.dfsg.1-3 ii kde-baseapps-bin4:15.04.3-1 ii kde-baseapps-data 4:15.04.3-1 ii kde-runtime 4:15.08.0-2 ii libc6 2.19-20 ii libkactivities6 4:4.13.3-1 ii libkcmutils44:4.14.10-3 ii libkde3support4 4:4.14.10-3 ii libkdecore5 4:4.14.10-3 ii libkdesu5 4:4.14.10-3 ii libkdeui5 4:4.14.10-3 ii libkfile4 4:4.14.10-3 ii libkhtml5 4:4.14.10-3 ii libkio5 4:4.14.10-3 ii libkonq5abi14:15.04.3-1 ii libkonqsidebarplugin4a 4:15.04.3-1 ii libkparts4 4:4.14.10-3 ii libqt4-dbus 4:4.8.7+dfsg-3 ii libqt4-qt3support 4:4.8.7+dfsg-3 ii libqt4-xml 4:4.8.7+dfsg-3 ii libqtcore4 4:4.8.7+dfsg-3 ii libqtgui4 4:4.8.7+dfsg-3 ii libstdc++6 5.2.1-17 ii libx11-62:1.6.3-1 Versions of packages konqueror recommends: ii dolphin 4:15.04.3-1 ii kfind4:15.04.3-1 pn konqueror-nsplugins ii kpart-webkit 1.3.4-2 Versions of packages konqueror suggests: ii konq-plugins 4:15.04.3-1 -- no debconf information
Bug#799186: konqueror: now comes with built-in keylogger
> I was just typing a geocaching log in a konqueror that popped up > when activating a link in a mail (to the cache listing) and noticed > small decimal digits scrolling by, one on a line, in the xterm that > was not fully hidden from view by the konqueror window. Sometimes, > the number was 32. I was on full alert. > > Natureshadow managed to reproduce this on sid amd64, so it’s not an > x32 issue, although he had to switch back to KHTML from Webkit (via > menu V̲iew → V̲iew Mode → K̲HTML) to reproduce it. Confirmed, as well as the fact that this of course goes to .xsession-errors, which delivers the key log readily to anyone asking. -nik -- PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296 Dominik George · Mobil: +49-151-61623918 Teckids e.V. · FrOSCon e.V. · OpenRheinRuhr e.V. Fellowship of the FSFE · Piratenpartei Deutschland Opencaching Deutschland e.V. · Debian Contributor LPIC-3 Linux Enterprise Professional (Security) signature.asc Description: This is a digitally signed message part.
Bug#799186: konqueror: now comes with built-in keylogger
Am Mittwoch, 16. September 2015, 18:20:40 CEST schrieb Dominik George: > > I was just typing a geocaching log in a konqueror that popped up > > when activating a link in a mail (to the cache listing) and noticed > > small decimal digits scrolling by, one on a line, in the xterm that > > was not fully hidden from view by the konqueror window. Sometimes, > > the number was 32. I was on full alert. > > > > Natureshadow managed to reproduce this on sid amd64, so it’s not an > > x32 issue, although he had to switch back to KHTML from Webkit (via > > menu V̲iew → V̲iew Mode → K̲HTML) to reproduce it. > > Confirmed, as well as the fact that this of course goes to .xsession-errors, > which delivers the key log readily to anyone asking. Confirmed. I think this is an upstream bug – of course I´d go for fixing it in Debian without waiting for upstream fix. Thorsten, will you report upstream as well? Thanks, -- Martin
Bug#799186: konqueror: now comes with built-in keylogger
> I think this is an upstream bug – of course I´d go for fixing it in Debian > without waiting for upstream fix. > > Thorsten, will you report upstream as well? I could do, because I am active in the KDE bugtracker. -nik -- PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296 Dominik George · Mobil: +49-151-61623918 Teckids e.V. · FrOSCon e.V. · OpenRheinRuhr e.V. Fellowship of the FSFE · Piratenpartei Deutschland Opencaching Deutschland e.V. · Debian Contributor LPIC-3 Linux Enterprise Professional (Security) signature.asc Description: This is a digitally signed message part.
Bug#799186: konqueror: now comes with built-in keylogger
Am Mittwoch, 16. September 2015, 22:55:23 CEST schrieb Dominik George: > > I think this is an upstream bug – of course I´d go for fixing it in Debian > > without waiting for upstream fix. > > > > Thorsten, will you report upstream as well? > > I could do, because I am active in the KDE bugtracker. Sure, go ahead. It might be wise to search for the kdelibs4.11 fix first though, see my last mail to the bug report. Thank you, -- Martin