Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 62322

Summary: x11-terms/multi-gnome-terminal logs keystrokes into .xsession-errors
Product: Gentoo Security Reporter: Tom Russo <thomas_a_russo>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: gnome
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: C4 [glsa] jaervosz
Package list:
Runtime testing required: ---
Description Flags
Updates 1.6.2 to CVS none

Description Tom Russo 2004-08-30 18:21:38 UTC
Multi-gnome-terminal 1.6.2 still has active keyboard binding debugging code that outputs every keystroke.  The output either ends up in the xterm i used to start multi-gnome-terminal, or in the ~/.xsession-errors when started by my desktop manager.

The fix is trival and in CVS.

Also, if ~/.xsession-errors is world-readable (it is on my system, atleast), then it's trivial to steal passwords.

Reproducible: Always
Steps to Reproduce:
1.install multi-gnome-terminal
Comment 1 Tom Russo 2004-08-30 18:23:33 UTC
Created attachment 38551 [details, diff]
Updates 1.6.2 to CVS
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-31 04:26:54 UTC
Reassigning this might be a security issue.

Gnome please verify this bug and patch ebuild if necessary

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-31 04:27:53 UTC
Duh, now reassigned.
Comment 4 Matthias Geerdsen (RETIRED) gentoo-dev 2004-08-31 12:22:03 UTC
Bug confirmed for 1.6.2, the input is being logged as numerical values (debug messages like: event->keyval: 108, event->state:16)

The patch in the attachment is from CVS and does remove the debug output.
Comment 5 foser (RETIRED) gentoo-dev 2004-09-03 09:49:30 UTC
added multi-gnome-terminal-1.6.2-r1.ebuild with the patch 

x86 stable
ppc reset to ~
sparc & amd64 are ~ but were like that forever
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-09-03 11:59:06 UTC
ppc please mark stable.
Comment 7 Pieter Van den Abeele (RETIRED) gentoo-dev 2004-09-03 16:18:48 UTC
stable again on ppc
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2004-09-05 03:41:58 UTC
Removing unneeded arches. Ready for GLSA decision
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2004-09-05 08:42:48 UTC
I would say we need a GLSA here... 

Local/low theorically, but it's so easy to get passwords (.xsession-errors is world-readable), we might even push it to Normal.
Comment 10 solar (RETIRED) gentoo-dev 2004-09-05 09:22:13 UTC
I was unable to confirm this one. 
No ~/.xsession-errors here and I've been using lots of revisions <=1.6.1
Comment 11 foser (RETIRED) gentoo-dev 2004-09-05 09:35:05 UTC
~/.xsession-errors is what gdm uses to drop console output, you can easily confirm by running m-g-t in another terminal. Any DM will probably put std output somewhere, it doesn't need to be ~/.xsession-errors .
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2004-09-06 06:47:02 UTC
GLSA approved, draft in progress
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2004-09-06 12:09:14 UTC
GLSA 200409-10