https://bugzilla.redhat.com/show_bug.cgi?id=1907782
Bug ID: 1907782 Summary: Disable dangerous key logging with librime Product: Fedora Version: 33 OS: Linux Status: NEW Component: librime Severity: high Assignee: pwu@redhat.com Reporter: xnwrsp@yandex.com QA Contact: extras-qa@fedoraproject.org CC: i18n-bugs@lists.fedoraproject.org, petersen@redhat.com, pwu@redhat.com Target Milestone: --- Classification: Fedora
Description of problem: A very verbose log is being saved at /tmp/rime.fcitx-rime.INFO which can become very large and contains everything the user has typed. Even worse, permission set on this file is 755 which means everyone can read this file and see exactly what the user has typed.
Version-Release number of selected component (if applicable): 1.5.3
How reproducible: Always
Steps to Reproduce: 1. add librime in fcitx 2. switch to it, and try to type something 3. read the file under /tmp/rime.fcitx-rime.INFO (which is a symlink to the actual log file)
Actual results: Confidential data is saved to disk without user consent.
Expected results: librime should not log anything that contains user input
Additional info: I do not know where the cmake macro is from in the rpm spec but it should have the flag `DCMAKE_BUILD_TYPE=Release` set. Relevant issue: https://github.com/rime/librime/issues/254#issuecomment-625155952
Relevant bug reports: https://bugs.gentoo.org/695702
https://bugzilla.redhat.com/show_bug.cgi?id=1907782
Fedora Update System updates@fedoraproject.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |MODIFIED
--- Comment #1 from Fedora Update System updates@fedoraproject.org --- FEDORA-2020-a3347ff2f9 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-a3347ff2f9
https://bugzilla.redhat.com/show_bug.cgi?id=1907782
Fedora Update System updates@fedoraproject.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|MODIFIED |ON_QA
--- Comment #2 from Fedora Update System updates@fedoraproject.org --- FEDORA-2020-a3347ff2f9 has been pushed to the Fedora 32 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-a3347ff2f9` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-a3347ff2f9
See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
https://bugzilla.redhat.com/show_bug.cgi?id=1907782
--- Comment #3 from Bug Reporter xnwrsp@yandex.com --- This issue has been fixed with FEDORA-2020-032ae4123a. Thank you.
https://bugzilla.redhat.com/show_bug.cgi?id=1907782
Fedora Update System updates@fedoraproject.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Fixed In Version| |librime-1.5.3-3.fc32 Resolution|--- |ERRATA Last Closed| |2021-01-01 01:24:29
--- Comment #4 from Fedora Update System updates@fedoraproject.org --- FEDORA-2020-a3347ff2f9 has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report.
i18n-bugs@lists.fedoraproject.org
-
bugzilla@redhat.com