https://bugzilla.redhat.com/show_bug.cgi?id=1907782
Bug ID: 1907782
Summary: Disable dangerous key logging with librime
Product: Fedora
Version: 33
OS: Linux
Status: NEW
Component: librime
Severity: high
Assignee: pwu(a)redhat.com
Reporter: xnwrsp(a)yandex.com
QA Contact: extras-qa(a)fedoraproject.org
CC: i18n-bugs(a)lists.fedoraproject.org,
petersen(a)redhat.com, pwu(a)redhat.com
Target Milestone: ---
Classification: Fedora
Description of problem:
A very verbose log is being saved at /tmp/rime.fcitx-rime.INFO which can become
very large and contains everything the user has typed. Even worse, permission
set on this file is 755 which means everyone can read this file and see exactly
what the user has typed.
Version-Release number of selected component (if applicable):
1.5.3
How reproducible:
Always
Steps to Reproduce:
1. add librime in fcitx
2. switch to it, and try to type something
3. read the file under /tmp/rime.fcitx-rime.INFO (which is a symlink to the
actual log file)
Actual results:
Confidential data is saved to disk without user consent.
Expected results:
librime should not log anything that contains user input
Additional info:
I do not know where the cmake macro is from in the rpm spec but it should have
the flag `DCMAKE_BUILD_TYPE=Release` set. Relevant issue:
https://github.com/rime/librime/issues/254#issuecomment-625155952
Relevant bug reports:
https://bugs.gentoo.org/695702
--
You are receiving this mail because:
You are on the CC list for the bug.