[Secure-testing-team] Bug#799186: konqueror: now comes with built-in keylogger

Thorsten Glaser tg at mirbsd.de
Wed Sep 16 16:14:44 UTC 2015 

Package: konqueror
Version: 4:15.04.3-1
Severity: grave
Tags: security
Justification: user security hole

I was just typing a geocaching log in a konqueror that popped up
when activating a link in a mail (to the cache listing) and noticed
small decimal digits scrolling by, one on a line, in the xterm that
was not fully hidden from view by the konqueror window. Sometimes,
the number was 32. I was on full alert.

Natureshadow managed to reproduce this on sid amd64, so it’s not an
x32 issue, although he had to switch back to KHTML from Webkit (via
menu V̲iew → V̲iew Mode → K̲HTML) to reproduce it.

Shortest reproducer, even if using a proprietary service:

$ konqueror pastebin.com

Then just start typing (after switching to KHTML if needed).

-- System Information:
Debian Release: stretch/sid
  APT prefers unreleased
  APT policy: (500, 'unreleased'), (500, 'buildd-unstable'), (500, 'unstable')
Architecture: x32 (x86_64)
Foreign Architectures: i386, amd64

Kernel: Linux 4.1.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/lksh
Init: sysvinit (via /sbin/init)

Versions of packages konqueror depends on:
ii  install-info            6.0.0.dfsg.1-3
ii  kde-baseapps-bin        4:15.04.3-1
ii  kde-baseapps-data       4:15.04.3-1
ii  kde-runtime             4:15.08.0-2
ii  libc6                   2.19-20
ii  libkactivities6         4:4.13.3-1
ii  libkcmutils4            4:4.14.10-3
ii  libkde3support4         4:4.14.10-3
ii  libkdecore5             4:4.14.10-3
ii  libkdesu5               4:4.14.10-3
ii  libkdeui5               4:4.14.10-3
ii  libkfile4               4:4.14.10-3
ii  libkhtml5               4:4.14.10-3
ii  libkio5                 4:4.14.10-3
ii  libkonq5abi1            4:15.04.3-1
ii  libkonqsidebarplugin4a  4:15.04.3-1
ii  libkparts4              4:4.14.10-3
ii  libqt4-dbus             4:4.8.7+dfsg-3
ii  libqt4-qt3support       4:4.8.7+dfsg-3
ii  libqt4-xml              4:4.8.7+dfsg-3
ii  libqtcore4              4:4.8.7+dfsg-3
ii  libqtgui4               4:4.8.7+dfsg-3
ii  libstdc++6              5.2.1-17
ii  libx11-6                2:1.6.3-1

Versions of packages konqueror recommends:
ii  dolphin              4:15.04.3-1
ii  kfind                4:15.04.3-1
pn  konqueror-nsplugins  <none>
ii  kpart-webkit         1.3.4-2

Versions of packages konqueror suggests:
ii  konq-plugins  4:15.04.3-1

-- no debconf information

More information about the Secure-testing-team mailing list