Hi all,
Just forwarding this along from the Xfce list as Geany (and many other programs) also use this same library for the Terminal feature. I'm not convinced it's a big deal, but none-the-less users should be aware of it. See the link in the forwarded message for more information.
Cheers, Matthew Brush
-------- Original Message -------- Subject: Security issue in Terminal Date: Wed, 07 Mar 2012 11:28:58 -0500 From: David Rosenstrauch <darose darose.net> Reply-To: Xfce general discussion list xfce@xfce.org To: xfce@xfce.org
Has there already been a bug report filed for this security issue in Terminal?
http://www.climagic.org/bugreports/libvte-scrollback-written-to-disk.html
Thanks,
DR _______________________________________________ Xfce mailing list Xfce@xfce.org https://mail.xfce.org/mailman/listinfo/xfce http://www.xfce.org
On Wed, 07 Mar 2012 15:19:42 -0800 Matthew Brush mbrush@codebrainz.ca wrote:
Just forwarding this along from the Xfce list as Geany (and many other programs) also use this same library for the Terminal feature. I'm not convinced it's a big deal, but none-the-less users should be aware of it. See the link in the forwarded message for more information.
If one considers this a "high severity" problem, then no program should ever create a /tmp file with sensitive data. But wait, what about the regular files?.. If they are deleted only, strings /dev/sda2 will reveal them too, and same goes for swap... In fact, /tmp are probably the safest. And of course, the proposed shred and dd "solutions" are useless for SSD.
I'm not surprised that the authors of libvte rejected this bug. Though writing the scrollback buffer to a file is weird...