Lucene search

K
ubuntucveUbuntu.comUB:CVE-2013-0160
HistoryFeb 17, 2013 - 12:00 a.m.

CVE-2013-0160

2013-02-1700:00:00
ubuntu.com
ubuntu.com
22
linux kernel
keystroke timing
inotify api
sensitive information
local users
/dev/ptmx device

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

EPSS

0.001

Percentile

17.9%

The Linux kernel through 3.7.9 allows local users to obtain sensitive
information about keystroke timing by using the inotify API on the
/dev/ptmx device.

Bugs

Notes

Author Note
apw the spender sidechannel patch above may not be generally applicable but I include it for completeness.
henrix commit b0de59b5733d18b0d1974a060860a8b5c1b36a2e is not sufficient to fix the CVE because an application doesn’t have to read atime/mtime (as is the case for the PoC). The 2 additional commits fix a regression and mark the shared ptmx node as un-notifiable (which will cause additional problems to backport them to Lucid, as it doesn’t have this feature)
Rows per page:
1-10 of 111

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

EPSS

0.001

Percentile

17.9%