From kde-announce Thu Jan 22 21:47:55 2015 From: Albert Astals Cid Date: Thu, 22 Jan 2015 21:47:55 +0000 To: kde-announce Subject: [kde-announce] KDE Project Security Advisory: plasma-workspace: Network access from screen locker Message-Id: <3798332.bnPt02DX6X () xps> X-MARC-Message: https://marc.info/?l=kde-announce&m=142218931032080 KDE Project Security Advisory =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D Title: plasma-workspace: Network access from screen locker Risk Rating: Low CVE: CVE-2015-1307 Platforms: X11 Versions: plasma-workspace < 5.1.95 Author: Martin Gr=E4=DFlin mgraesslin@kde.org Date: 22 January 2015 Overview =3D=3D=3D=3D=3D=3D=3D=3D Plasma's lock screen implementation uses Look and Feel packages containing QtQuick source files to style the lock screen. Look and Feel packages can be selected by the user using a system settings module. A user could download a Look and Feel package and install it locally. The QtQuick view allows network interaction, thus a malicious Look and Feel package could collect the user's passwords on all systems it's installed to. Similarly any application running under the given user could install a different Look and Feel package to gain the user's password. Impact =3D=3D=3D=3D=3D=3D If a user downloaded and installed a Look and Feel package the user's password might be sent to the author of the Look and Feel package. Workaround =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Use one of the default provided Look and Feel packages. Solution =3D=3D=3D=3D=3D=3D=3D=3D For plasma-workspace upgrade to Plasma 5.1.95 or apply the following patch: http://commits.kde.org/plasma-workspace/0a9cea625dfcb068fb03a4deab7430b1c4= ad8aa4 Credits =3D=3D=3D=3D=3D=3D=3D Thanks to Martin Gr=E4=DFlin for finding and fixing the issue. _______________________________________________ kde-announce mailing list kde-announce@kde.org https://mail.kde.org/mailman/listinfo/kde-announce