Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 13 Oct 2020 15:28:19 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: kdeconnect: CVE-2020-26164: multiple security issues in kdeconnectd network daemon

On Tue, Oct 13, 2020 at 02:29:12PM +0200, Matthias Gerstner wrote:
> The SUSE security team noticed that a new network service service
> `kdeconnectd` was active by default  in openSUSE Leap 15.2 listening on TCP
> and UDP port 1716. `kdeconnectd` is started automatically in the context of
> any KDE session and runs with the privileges of the logged in user.
> 
> 
> `kdeconnectd` talks to an Android smartphone app. The use cases are, among
> others:
> 
> 
> - sharing the PC clipboard with the smartphone
> - controlling the PC from the smartphone (running commands, controlling input)
> 
> 
> I conducted an in-depth source code review [...]

Thank you for your work on this, and for publishing so much detail!

Will kdeconnectd no longer be active by default in openSUSE?  I hope so.
Merely fixing the known issues doesn't address the fact that this poses
unjustified risk for most people.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.