On Wed, 07 Mar 2012 15:19:42 -0800 Matthew Brush mbrush@codebrainz.ca wrote:
Just forwarding this along from the Xfce list as Geany (and many other programs) also use this same library for the Terminal feature. I'm not convinced it's a big deal, but none-the-less users should be aware of it. See the link in the forwarded message for more information.
If one considers this a "high severity" problem, then no program should ever create a /tmp file with sensitive data. But wait, what about the regular files?.. If they are deleted only, strings /dev/sda2 will reveal them too, and same goes for swap... In fact, /tmp are probably the safest. And of course, the proposed shred and dd "solutions" are useless for SSD.
I'm not surprised that the authors of libvte rejected this bug. Though writing the scrollback buffer to a file is weird...