[cairo] Potential Side-channel in Cairo Graphics Library
Paul Menzel
pmenzel+cairo at molgen.mpg.de
Tue Feb 19 08:20:52 UTC 2019
Dear Daimeng,
On 19.02.19 04:49, Daimeng Wang wrote:
> We're a group of researchers from University of California Riverside. We
> recently discovered that some functions in Cairo graphics
> library take variable amount of time depending on the input character. As a
> result, an unprivileged attacker could potentially utilize flush+reload
> cache side-channel attack to measure the execution time of said functions
> to infer users' text input. We verified this using the Onboard app that
> comes with Ubuntu 16.04.
>
> For detailed information please refer to our paper in the link below. We
> would be very happy to work with you to address this issue. Please let us
> know what you think.
>
> https://www.cs.ucr.edu/~zhiyunq/pub/ndss19_cache_keystrokes.pdf
Thank you very much for your message, and analyzing these issues. As
this is possibly a security issue, I suggest that you contact the
security teams of the major distribution (Red Hat, SUSE, Ubuntu, Debian,
…), as they are also interested in this and have often paid developers
being able to help to fix these issues.
Kind regards,
Paul
More information about the cairo
mailing list