Mailinglist Archive: opensuse (1480 mails)

< Previous Next >
Re: [opensuse] Data Breach Flaw Found Gnome-terminal, Xfce Terminal and Terminator
El 08/03/12 16:40, Carl Hartung escribió:
Hi All,

Just an FYI:

http://linux.slashdot.org/story/12/03/08/1441215/data-breach-flaw-found-in-gnome-terminal-xfce-terminal-and-terminator

Data Breach Flaw Found In Gnome-terminal, Xfce Terminal and Terminator
Posted by timothy on Thursday March 08, @10:50AM

from the so-it-can-be-fixed-now dept.

suso writes "A design flaw in the VTE library was published this week(1). The VTE
library provides the terminal widget and manages the scrollback buffer in many popular
terminal emulators including gnome-terminal, xfce4-terminal, terminator and guake. Due to
this flaw, your scrollback buffer ends up on your /tmp filesystem over time and can be
viewed by anyone who gets ahold of your hard drive. Including data passed back through an
SSH connection. A demonstration video(2) was also made to make the problem more obvious.
Anyone using these terminals or others based on libVTE should be aware of this issue as
it even writes data passed back through an SSH connection to your local disk.
Instructions are also included for how to properly deal with the leaked data on your hard
drive. You are either encouraged to switch terminals and/or start using tmpfs for your
/tmp partition until the library is fixed."

[1] http://climagic.org/bugreports/libvte-scrollback-written-to-disk.html
[2] http://www.youtube.com/watch?v=LgNLHskYvVE


Oh, the good old quirks and gotchas! they keep giving joy :-) This is not a nice thing to fall on, however it is not a bug, but a design tradeoff.

There are a few things that may help though.

run the terminal with a private tmp namespace see clone(2) which will be destroyed when you close the program in question.

It may also be possible to perform some kind of "secure delete" (whatever that means.. if not an oxymoron... good luck with that !) before unlinking the file...





--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
References