First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 62322
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Tom Russo <thomas_a_russo@hotmail.com>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
sonne-patch.diff Updates 1.6.2 to CVS patch Tom Russo 2004-08-30 18:23 0000 2.50 KB Details | Diff
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 62322 depends on: Show dependency tree
Bug 62322 blocks:
Votes: 0    Show votes for this bug    Vote for this bug

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2004-08-30 18:21 0000 
Multi-gnome-terminal 1.6.2 still has active keyboard binding debugging code
that outputs every keystroke.  The output either ends up in the xterm i used to
start multi-gnome-terminal, or in the ~/.xsession-errors when started by my
desktop manager.

The fix is trival and in CVS.

Also, if ~/.xsession-errors is world-readable (it is on my system, atleast),
then it's trivial to steal passwords.

Reproducible: Always
Steps to Reproduce:
1.install multi-gnome-terminal
2.
3.

------- Comment #1 From Tom Russo 2004-08-30 18:23:33 0000 ------- 
Created an attachment (id=38551) [details]
Updates 1.6.2 to CVS

------- Comment #2 From Sune Kloppenborg Jeppesen 2004-08-31 04:26:54 0000 ------- 
Reassigning this might be a security issue.

Gnome please verify this bug and patch ebuild if necessary

------- Comment #3 From Sune Kloppenborg Jeppesen 2004-08-31 04:27:53 0000 ------- 
Duh, now reassigned.

------- Comment #4 From Matthias Geerdsen 2004-08-31 12:22:03 0000 ------- 
Bug confirmed for 1.6.2, the input is being logged as numerical values (debug
messages like: event->keyval: 108, event->state:16)

The patch in the attachment is from CVS and does remove the debug output.

------- Comment #5 From foser (RETIRED) 2004-09-03 09:49:30 0000 ------- 
added multi-gnome-terminal-1.6.2-r1.ebuild with the patch 

x86 stable
ppc reset to ~
sparc & amd64 are ~ but were like that forever

------- Comment #6 From Sune Kloppenborg Jeppesen 2004-09-03 11:59:06 0000 ------- 
ppc please mark stable.

------- Comment #7 From Pieter Van den Abeele 2004-09-03 16:18:48 0000 ------- 
stable again on ppc

------- Comment #8 From Thierry Carrez (RETIRED) 2004-09-05 03:41:58 0000 ------- 
Removing unneeded arches. Ready for GLSA decision

------- Comment #9 From Thierry Carrez (RETIRED) 2004-09-05 08:42:48 0000 ------- 
I would say we need a GLSA here... 

Local/low theorically, but it's so easy to get passwords (.xsession-errors is world-readable), we might even push it to Normal.

------- Comment #10 From solar 2004-09-05 09:22:13 0000 ------- 
I was unable to confirm this one. 
No ~/.xsession-errors here and I've been using lots of revisions <=1.6.1

------- Comment #11 From foser (RETIRED) 2004-09-05 09:35:05 0000 ------- 
~/.xsession-errors is what gdm uses to drop console output, you can easily
confirm by running m-g-t in another terminal. Any DM will probably put std
output somewhere, it doesn't need to be ~/.xsession-errors .

------- Comment #12 From Thierry Carrez (RETIRED) 2004-09-06 06:47:02 0000 ------- 
GLSA approved, draft in progress

------- Comment #13 From Thierry Carrez (RETIRED) 2004-09-06 12:09:14 0000 ------- 
GLSA 200409-10
First Last Prev Next    No search results available      Search page      Enter new bug