Bug#977238: qimgv: middle-click triggers a ButtonRelease event in the underneath window; should not quit on ButtonPress

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#977238: qimgv: middle-click triggers a ButtonRelease event in the underneath window; should not quit on ButtonPress
From: Vincent Lefevre <vincent@vinc17.net>
Date: Sun, 13 Dec 2020 00:19:43 +0100
Message-id: <[🔎] X9VQD4c5JpOkpEVZ@zira.vinc17.org>
Reply-to: Vincent Lefevre <vincent@vinc17.net>, 977238@bugs.debian.org

Package: qimgv
Version: 0.9.1-2
Severity: important
Tags: security

When I click with the middle button (button 2), this quits qimgv and
triggers a ButtonRelease event in the underneath window, thus
affecting an unrelated application. A major consequence is that some
applications (such as xterm and rxvt) see this ButtonRelease event as
a click, and since this is a middle-click, if the window is accepting
input at this mouse position, this unexpectedly pastes data. For a
terminal like xterm or rxvt, this can be harmful, depending on what
is running and on what is pasted (this could be private data).

In no way an application should affect other applications like that.

The cause is that qimgv quits at the ButtonPress event instead of the
ButtonRelease event.

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.9.0-4-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=POSIX, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages qimgv depends on:
ii  libc6                 2.31-5
ii  libexiv2-27           0.27.3-3
ii  libgcc-s1             10.2.1-1
ii  libmpv1               0.32.0-2+b1
ii  libopencv-core4.2     4.2.0+dfsg-6+b6
ii  libopencv-imgproc4.2  4.2.0+dfsg-6+b6
ii  libqt5core5a          5.15.2+dfsg-2
ii  libqt5gui5            5.15.2+dfsg-2
ii  libqt5widgets5        5.15.2+dfsg-2
ii  libstdc++6            10.2.1-1

qimgv recommends no packages.

qimgv suggests no packages.

-- no debconf information

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Reply to:

Follow-Ups:
- Bug#977238: qimgv: middle-click triggers a ButtonRelease event in the underneath window; should not quit on ButtonPress
  - From: Philip Chung <philipchung1995@yahoo.com>
- Processed: Re: Bug#977238: qimgv: middle-click triggers a ButtonRelease event in the underneath window; should not quit on ButtonPress
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: avldrums.lv2_0.4.1-2_source.changes ACCEPTED into unstable
Next by Date: Bug#977238: qimgv: middle-click triggers a ButtonRelease event in the underneath window; should not quit on ButtonPress
Previous by thread: avldrums.lv2_0.4.1-2_source.changes ACCEPTED into unstable
Next by thread: Bug#977238: qimgv: middle-click triggers a ButtonRelease event in the underneath window; should not quit on ButtonPress
Index(es):
- Date
- Thread