Multi-gnome-terminal 1.6.2 still has active keyboard binding debugging code that outputs every keystroke. The output either ends up in the xterm i used to start multi-gnome-terminal, or in the ~/.xsession-errors when started by my desktop manager. The fix is trival and in CVS. Also, if ~/.xsession-errors is world-readable (it is on my system, atleast), then it's trivial to steal passwords. Reproducible: Always Steps to Reproduce: 1.install multi-gnome-terminal 2. 3.
Created attachment 38551 [details, diff] Updates 1.6.2 to CVS
Reassigning this might be a security issue. Gnome please verify this bug and patch ebuild if necessary
Duh, now reassigned.
Bug confirmed for 1.6.2, the input is being logged as numerical values (debug messages like: event->keyval: 108, event->state:16) The patch in the attachment is from CVS and does remove the debug output.
added multi-gnome-terminal-1.6.2-r1.ebuild with the patch x86 stable ppc reset to ~ sparc & amd64 are ~ but were like that forever
ppc please mark stable.
stable again on ppc
Removing unneeded arches. Ready for GLSA decision
I would say we need a GLSA here... Local/low theorically, but it's so easy to get passwords (.xsession-errors is world-readable), we might even push it to Normal.
I was unable to confirm this one. No ~/.xsession-errors here and I've been using lots of revisions <=1.6.1
~/.xsession-errors is what gdm uses to drop console output, you can easily confirm by running m-g-t in another terminal. Any DM will probably put std output somewhere, it doesn't need to be ~/.xsession-errors .
GLSA approved, draft in progress
GLSA 200409-10