SB2016071310 - Information disclosure in KDE Frameworks
Published: July 13, 2016 Updated: August 19, 2019
Security Bulletin ID
SB2016071310
CSH Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Incorrect default permissions (CVE-ID: CVE-2016-3100)
CWE-ID: CWE-276 - Incorrect Default Permissions
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to incorrect default permissions (e.g. 644) for /tmp/xauth-xxx-_y file that stores.X11 cookie. A local user can view contents of the file, obtain X11 cookies and consequently capture keystrokes of other users.
Remediation
Install update from vendor's website.
References
- http://lists.opensuse.org/opensuse-updates/2016-07/msg00001.html
- http://www.kde.com/announcements/kde-frameworks-5.23.0.php
- http://www.securityfocus.com/bid/91769
- https://bugs.kde.org/show_bug.cgi?id=358593
- https://bugs.kde.org/show_bug.cgi?id=363140
- https://quickgit.kde.org/?p=kinit.git&a=commitdiff&h=72f3702dbe6cf15c06dc13da2c99c864e9022a58
- https://quickgit.kde.org/?p=kinit.git&a=commitdiff&h=dece8fd89979cd1a86c03bcaceef6e9221e8d8cd
- https://www.kde.org/info/security/advisory-20160621-1.txt