<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: kdeconnect: CVE-2020-26164: multiple security issues in kdeconnectd network daemon
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Solar Designer <solar () openwall com>
Date: Tue, 13 Oct 2020 15:28:19 +0200
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
On Tue, Oct 13, 2020 at 02:29:12PM +0200, Matthias Gerstner wrote:
The SUSE security team noticed that a new network service service
`kdeconnectd` was active by default in openSUSE Leap 15.2 listening on TCP
and UDP port 1716. `kdeconnectd` is started automatically in the context of
any KDE session and runs with the privileges of the logged in user.
`kdeconnectd` talks to an Android smartphone app. The use cases are, among
others:
- sharing the PC clipboard with the smartphone
- controlling the PC from the smartphone (running commands, controlling input)
I conducted an in-depth source code review [...]
Thank you for your work on this, and for publishing so much detail!
Will kdeconnectd no longer be active by default in openSUSE? I hope so.
Merely fixing the known issues doesn't address the fact that this poses
unjustified risk for most people.
Alexander
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
kdeconnect: CVE-2020-26164: multiple security issues in kdeconnectd network daemon Matthias Gerstner (Oct 13)
Re: kdeconnect: CVE-2020-26164: multiple security issues in kdeconnectd network daemon Solar Designer (Oct 13)
Re: kdeconnect: CVE-2020-26164: multiple security issues in kdeconnectd network daemon Matthias Gerstner (Oct 14)
Re: kdeconnect: CVE-2020-26164: multiple security issues in kdeconnectd network daemon Matthias Gerstner (Nov 30)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->