A list of publicly known but unfixed security bugs
Please submit a pull request if you have corrections or know about any other unfixed security bugs.
Pretty much every terminal emulator
- Multi-line pastes from an untrusted source (e.g. browser) can automatically execute something you did not intend to copy
sudo credential caching (generally enabled by default; disabled with
Defaults timestamp_timeout=0) allows any process in a TTY to do a passwordless sudo within the timeout period, not just commands that you've prefixed with
sudoin the shell.
- Unlike VMware Workstation, VirtualBox clipboard sharing gives guests continuous access to the host clipboard, instead of just when the VM is focused.
- Unlike VMware Workstation, virt-manager/spice-gtk clipboard sharing gives guests continuous access to the host clipboard, instead of just when the VM is focused. This clipboard sharing feature is unconditionally enabled without warning. A compromised guest with no need for clipboard access can install
spice-vdagentand start continuously sniffing the host clipboard.
- Any program connected to the server can sniff another program's keystrokes. Solved in Wayland.
Check for null bytes in binaries / strings when opening files (to be fixed in OTP 21.0)
Credentials materials are compared unsafely throughout Twisted, still open due to the difficulty of measuring whether the constant-time compare function actually fixes anything.
phantomjs, libqtwebkit4, libqt5webkit5
- These packages exist in a state of permanent insecurity because they don't keep up with the ~6-week browser update cycle. (e.g. take any one of the many WebKit security bugs fixed after the last release of these packages, which could be a ~year old.)
Various methods of automatically bypassing UAC (see "Unfixed methods in upcoming Windows 10 RS2 release")
Packages in your Linux distribution
- Debian stable
- Debian testing
- Debian unstable
- Ubuntu main archive
- Ubuntu universe archive
- Ubuntu partner archive
- Arch Linux