Published: 17 February 2013
The Linux kernel through 3.7.9 allows local users to obtain sensitive information about keystroke timing by using the inotify API on the /dev/ptmx device.
From the Ubuntu security team
An information leak was discovered in the Linux kernel when inotify is used to monitor the /dev/ptmx device. A local user could exploit this flaw to discover keystroke timing and potentially discover sensitive information like password length.
the spender sidechannel patch above may not be generally applicable but I include it for completeness.
commit b0de59b5733d18b0d1974a060860a8b5c1b36a2e is not sufficient to fix the CVE because an application doesn't have to read atime/mtime (as is the case for the PoC). The 2 additional commits fix a regression and mark the shared ptmx node as un-notifiable (which will cause additional problems to backport them to Lucid, as it doesn't have this feature)