Multi-gnome-terminal 1.6.2 still has active keyboard binding debugging code that outputs every keystroke. The output either ends up in the xterm i used to start multi-gnome-terminal, or in the ~/.xsession-errors when started by my desktop manager.
The fix is trival and in CVS.
Also, if ~/.xsession-errors is world-readable (it is on my system, atleast), then it's trivial to steal passwords.
Steps to Reproduce:
Created attachment 38551 [details, diff]
Updates 1.6.2 to CVS
Reassigning this might be a security issue.
Gnome please verify this bug and patch ebuild if necessary
Duh, now reassigned.
Bug confirmed for 1.6.2, the input is being logged as numerical values (debug messages like: event->keyval: 108, event->state:16)
The patch in the attachment is from CVS and does remove the debug output.
added multi-gnome-terminal-1.6.2-r1.ebuild with the patch
ppc reset to ~
sparc & amd64 are ~ but were like that forever
ppc please mark stable.
stable again on ppc
Removing unneeded arches. Ready for GLSA decision
I would say we need a GLSA here...
Local/low theorically, but it's so easy to get passwords (.xsession-errors is world-readable), we might even push it to Normal.
I was unable to confirm this one.
No ~/.xsession-errors here and I've been using lots of revisions <=1.6.1
~/.xsession-errors is what gdm uses to drop console output, you can easily confirm by running m-g-t in another terminal. Any DM will probably put std output somewhere, it doesn't need to be ~/.xsession-errors .
GLSA approved, draft in progress