[Bug 942810] New: kgpg editor outputs typed characters to stderr
http://bugzilla.opensuse.org/show_bug.cgi?id=942810 Bug ID: 942810 Summary: kgpg editor outputs typed characters to stderr Classification: openSUSE Product: openSUSE Distribution Version: 13.2 Hardware: All OS: openSUSE 13.2 Status: NEW Severity: Major Priority: P5 - None Component: KDE4 Applications Assignee: kde-maintainers@suse.de Reporter: jbuckingham@blueyonder.co.uk QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0 Build Identifier: I happened to run kgpg from the CLI in a konsole, and then used its editor to open an encrypted file. What I then noticed was that as I typed stuff in the editor, the characters were appearing in the konsole (numeric encoding) e.g. 65 for 'a', 66 for 'b' etc. They seemed to go to stderr. This is a security issue since kgpg is often used to stored passwords and other secrets. According to https://forums.opensuse.org/showthread.php/509249-kgpg-editor-insecure?highl...... That's actually kdelibs4's fault. It contains a debug statement in ktextedit that outputs every pressed key to stderr. The same happens when you rename a file in dolphin e.g. It has been fixed recently with the following commit: https://quickgit.kde.org/?p=kdelibs....2e5d91c7855609 If you think we should fix this in openSUSE 13.2 as well, please file a bug report. See also: https://forum.kde.org/viewtopic.php?f=223&t=127144 Reproducible: Always Steps to Reproduce: 1. run kgpg from CLI 2. open kgpg editor 3. open file from within editor 4. Observed type characters in original shell Actual Results: characters were appearing in the konsole (numeric encoding) e.g. 65 for 'a', 66 for 'b' etc. Expected Results: Nothing output to stderr or stdout. It should be a secure application -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=942810
http://bugzilla.opensuse.org/show_bug.cgi?id=942810#c1
Wolfgang Bauer
That's actually kdelibs4's fault. It contains a debug statement in ktextedit that outputs every pressed key to stderr. The same happens when you rename a file in dolphin e.g.
It has been fixed recently with the following commit: https://quickgit.kde.org/?p=kdelibs....2e5d91c7855609
This is fixed in kdelibs 4.14.11 (it contains the mentioned commit), which has been released last week as part of the KDE Applications 15.08.0 release. I would suggest to just release that version as update for 13.2. Btw, this is also an issue in latest Tumbleweed. kdelibs4 hasn't been updated to 4.14.11 yet in KDE:Distro:Factory either. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=942810
http://bugzilla.opensuse.org/show_bug.cgi?id=942810#c2
Wolfgang Bauer
This is fixed in kdelibs 4.14.11 (it contains the mentioned commit), which has been released last week as part of the KDE Applications 15.08.0 release.
I would suggest to just release that version as update for 13.2.
Unfortunately it turned out that the latest kdelibs4 versions break the build of quite a few KDE4 applications. Many of them have been fixed upstream, but we'd need to update all of them too, and for some (kmix in particular) a fix is not even available yet. So we probably should just add the patch that fixes it. @Maintenance team: Can I submit an update? Leap 42.1 is affected by this as well.
Btw, this is also an issue in latest Tumbleweed. kdelibs4 hasn't been updated to 4.14.11 yet in KDE:Distro:Factory either.
At least this has been fixed meanwhile, Tumbleweed has kdelibs4 4.14.14 now. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com