Summary: | x11-terms/multi-gnome-terminal logs keystrokes into .xsession-errors | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Tom Russo <thomas_a_russo> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | normal | CC: | gnome | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | C4 [glsa] jaervosz | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Tom Russo
2004-08-30 18:21:38 UTC
Created attachment 38551 [details, diff]
Updates 1.6.2 to CVS
Reassigning this might be a security issue. Gnome please verify this bug and patch ebuild if necessary Duh, now reassigned. Bug confirmed for 1.6.2, the input is being logged as numerical values (debug messages like: event->keyval: 108, event->state:16) The patch in the attachment is from CVS and does remove the debug output. added multi-gnome-terminal-1.6.2-r1.ebuild with the patch x86 stable ppc reset to ~ sparc & amd64 are ~ but were like that forever ppc please mark stable. stable again on ppc Removing unneeded arches. Ready for GLSA decision I would say we need a GLSA here... Local/low theorically, but it's so easy to get passwords (.xsession-errors is world-readable), we might even push it to Normal. I was unable to confirm this one. No ~/.xsession-errors here and I've been using lots of revisions <=1.6.1 ~/.xsession-errors is what gdm uses to drop console output, you can easily confirm by running m-g-t in another terminal. Any DM will probably put std output somewhere, it doesn't need to be ~/.xsession-errors . GLSA approved, draft in progress GLSA 200409-10 |