Package: qimgv Version: 0.9.1-2 Severity: important Tags: security When I click with the middle button (button 2), this quits qimgv and triggers a ButtonRelease event in the underneath window, thus affecting an unrelated application. A major consequence is that some applications (such as xterm and rxvt) see this ButtonRelease event as a click, and since this is a middle-click, if the window is accepting input at this mouse position, this unexpectedly pastes data. For a terminal like xterm or rxvt, this can be harmful, depending on what is running and on what is pasted (this could be private data).
In no way an application should affect other applications like that. The cause is that qimgv quits at the ButtonPress event instead of the ButtonRelease event. -- System Information: Debian Release: bullseye/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.9.0-4-amd64 (SMP w/8 CPU threads) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=POSIX, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages qimgv depends on: ii libc6 2.31-5 ii libexiv2-27 0.27.3-3 ii libgcc-s1 10.2.1-1 ii libmpv1 0.32.0-2+b1 ii libopencv-core4.2 4.2.0+dfsg-6+b6 ii libopencv-imgproc4.2 4.2.0+dfsg-6+b6 ii libqt5core5a 5.15.2+dfsg-2 ii libqt5gui5 5.15.2+dfsg-2 ii libqt5widgets5 5.15.2+dfsg-2 ii libstdc++6 10.2.1-1 qimgv recommends no packages. qimgv suggests no packages. -- no debconf information -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
