Bug#474024: malicious applications can print text over gksu window
Gustavo Noronha
kov at debian.org
Tue May 19 01:16:59 UTC 2009
tag 474024 fixed-upstream
thanks
On Sat, 2009-05-16 at 16:14 +0300, Timo Juhani Lindfors wrote:
> Gustavo Noronha <kov at debian.org> writes:
> > able to read the password by eavesdropping the X connection. However,
> > this is ineffective against malicious applications that use ptrace() to
> > capture the password. See http://bugs.debian.org/474024 for more info.
>
> Doesn't this give the wrong impression? Somebody might disable ptrace
> from their system and think they are safe?
>
> In reality also ltrace (using LD_PRELOAD) can capture the password.
I have committed the following:
+.PP
+.B gksu
+tries to "lock" the keyboard, mouse and focus to prevent other
+applications from being able to read the password by eavesdropping the
+X connection. However, this is not enough to ensure 100% protection,
+since malicious applications can still use tracing calls such as
+ptrace() to capture the password. See Debian bug #474024 for more
+info.
Thanks for your work on this!
See you,
--
Gustavo Noronha <kov at debian.org>
Debian Project
More information about the pkg-gnome-maintainers
mailing list