Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 62322 - x11-terms/multi-gnome-terminal logs keystrokes into .xsession-errors
Summary: x11-terms/multi-gnome-terminal logs keystrokes into .xsession-errors
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: C4 [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2004-08-30 18:21 UTC by Tom Russo
Modified: 2011-10-30 22:38 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Updates 1.6.2 to CVS (sonne-patch.diff,2.50 KB, patch)
2004-08-30 18:23 UTC, Tom Russo
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Tom Russo 2004-08-30 18:21:38 UTC
Multi-gnome-terminal 1.6.2 still has active keyboard binding debugging code that outputs every keystroke.  The output either ends up in the xterm i used to start multi-gnome-terminal, or in the ~/.xsession-errors when started by my desktop manager.

The fix is trival and in CVS.

Also, if ~/.xsession-errors is world-readable (it is on my system, atleast), then it's trivial to steal passwords.

Reproducible: Always
Steps to Reproduce:
1.install multi-gnome-terminal
2.
3.
Comment 1 Tom Russo 2004-08-30 18:23:33 UTC
Created attachment 38551 [details, diff]
Updates 1.6.2 to CVS
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-31 04:26:54 UTC
Reassigning this might be a security issue.

Gnome please verify this bug and patch ebuild if necessary

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-31 04:27:53 UTC
Duh, now reassigned.
Comment 4 Matthias Geerdsen (RETIRED) gentoo-dev 2004-08-31 12:22:03 UTC
Bug confirmed for 1.6.2, the input is being logged as numerical values (debug messages like: event->keyval: 108, event->state:16)

The patch in the attachment is from CVS and does remove the debug output.
Comment 5 foser (RETIRED) gentoo-dev 2004-09-03 09:49:30 UTC
added multi-gnome-terminal-1.6.2-r1.ebuild with the patch 

x86 stable
ppc reset to ~
sparc & amd64 are ~ but were like that forever
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-09-03 11:59:06 UTC
ppc please mark stable.
Comment 7 Pieter Van den Abeele (RETIRED) gentoo-dev 2004-09-03 16:18:48 UTC
stable again on ppc
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2004-09-05 03:41:58 UTC
Removing unneeded arches. Ready for GLSA decision
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2004-09-05 08:42:48 UTC
I would say we need a GLSA here... 

Local/low theorically, but it's so easy to get passwords (.xsession-errors is world-readable), we might even push it to Normal.
Comment 10 solar (RETIRED) gentoo-dev 2004-09-05 09:22:13 UTC
I was unable to confirm this one. 
No ~/.xsession-errors here and I've been using lots of revisions <=1.6.1
Comment 11 foser (RETIRED) gentoo-dev 2004-09-05 09:35:05 UTC
~/.xsession-errors is what gdm uses to drop console output, you can easily confirm by running m-g-t in another terminal. Any DM will probably put std output somewhere, it doesn't need to be ~/.xsession-errors .
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2004-09-06 06:47:02 UTC
GLSA approved, draft in progress
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2004-09-06 12:09:14 UTC
GLSA 200409-10