[opensuse] Data Breach Flaw Found Gnome-terminal, Xfce Terminal and Terminator
Hi All, Just an FYI: http://linux.slashdot.org/story/12/03/08/1441215/data-breach-flaw-found-in-g... Data Breach Flaw Found In Gnome-terminal, Xfce Terminal and Terminator Posted by timothy on Thursday March 08, @10:50AM from the so-it-can-be-fixed-now dept. suso writes "A design flaw in the VTE library was published this week(1). The VTE library provides the terminal widget and manages the scrollback buffer in many popular terminal emulators including gnome-terminal, xfce4-terminal, terminator and guake. Due to this flaw, your scrollback buffer ends up on your /tmp filesystem over time and can be viewed by anyone who gets ahold of your hard drive. Including data passed back through an SSH connection. A demonstration video(2) was also made to make the problem more obvious. Anyone using these terminals or others based on libVTE should be aware of this issue as it even writes data passed back through an SSH connection to your local disk. Instructions are also included for how to properly deal with the leaked data on your hard drive. You are either encouraged to switch terminals and/or start using tmpfs for your /tmp partition until the library is fixed." [1] http://climagic.org/bugreports/libvte-scrollback-written-to-disk.html [2] http://www.youtube.com/watch?v=LgNLHskYvVE -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El 08/03/12 16:40, Carl Hartung escribió:
Hi All,
Just an FYI:
http://linux.slashdot.org/story/12/03/08/1441215/data-breach-flaw-found-in-g...
Data Breach Flaw Found In Gnome-terminal, Xfce Terminal and Terminator Posted by timothy on Thursday March 08, @10:50AM
from the so-it-can-be-fixed-now dept.
suso writes "A design flaw in the VTE library was published this week(1). The VTE library provides the terminal widget and manages the scrollback buffer in many popular terminal emulators including gnome-terminal, xfce4-terminal, terminator and guake. Due to this flaw, your scrollback buffer ends up on your /tmp filesystem over time and can be viewed by anyone who gets ahold of your hard drive. Including data passed back through an SSH connection. A demonstration video(2) was also made to make the problem more obvious. Anyone using these terminals or others based on libVTE should be aware of this issue as it even writes data passed back through an SSH connection to your local disk. Instructions are also included for how to properly deal with the leaked data on your hard drive. You are either encouraged to switch terminals and/or start using tmpfs for your /tmp partition until the library is fixed."
[1] http://climagic.org/bugreports/libvte-scrollback-written-to-disk.html [2] http://www.youtube.com/watch?v=LgNLHskYvVE
Oh, the good old quirks and gotchas! they keep giving joy :-) This is not a nice thing to fall on, however it is not a bug, but a design tradeoff. There are a few things that may help though. run the terminal with a private tmp namespace see clone(2) which will be destroyed when you close the program in question. It may also be possible to perform some kind of "secure delete" (whatever that means.. if not an oxymoron... good luck with that !) before unlinking the file... -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (2)
-
Carl Hartung
-
Cristian Rodríguez