Bug#719589: libvte9: scrollback buffer written to disk

Markus Frosch markus at lazyfrosch.de
Tue Aug 13 11:31:13 UTC 2013 

Package: libvte9
Version: 1:0.28.2-5
Severity: normal
Tags: upstream
Control: forwarded -1 https://bugzilla.gnome.org/show_bug.cgi?id=664611

Hello GNOME Team,
I'd like to raise awareness of this bug in libVTE:

http://www.climagic.org/bugreports/libvte-scrollback-written-to-disk.html
(excerpt below)

Please see the upstream bug [1] and another bug that describes another problem [2]
(disk does not go idle) caused by this.

I talked to security team today, and it looks like they have no interest in
this issue, but I still would like to see it fixed.

There is a launchpad bug [3] for Ubuntu, with a patch providing a proper memory
scrollback buffer.

Thanks
Markus Frosch

[1] https://bugzilla.gnome.org/show_bug.cgi?id=664611
[2] https://bugzilla.gnome.org/show_bug.cgi?id=631685
[3] https://bugs.launchpad.net/ubuntu/+source/vte/+bug/778872

[ excerpt from this page ]

Summary:
-----------------------------------------------------------------------
  Due to the way the terminal's scrollback history buffer (not shell command
  history) is saved in terminal emulators using libVTE after version 0.21.6,
  data from inside your terminal window can end up on your local filesystem.
  This is most likely unexpected behavior in a terminal emulator and represents
  a very significant security issue.


Worse case scenario:
-----------------------------------------------------------------------
  Classified, secret or medical information that was accessed through a
  terminal window was thought to be safe because it was on a remote server
  and only accessed via SSH, but now its also on the hard drive that is
  for sale online or stolen without having been wiped because this
  issue was not accounted for.



-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.9-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libvte9 depends on:
ii  libatk1.0-0         2.8.0-2
ii  libc6               2.17-7
ii  libcairo2           1.12.14-4
ii  libfontconfig1      2.10.2-2
ii  libfreetype6        2.4.9-1.1
ii  libgdk-pixbuf2.0-0  2.28.2-1
ii  libglib2.0-0        2.36.3-3
ii  libgtk2.0-0         2.24.20-1
ii  libncurses5         5.9+20130608-1
ii  libpango1.0-0       1.32.5-5+b1
ii  libtinfo5           5.9+20130608-1
ii  libvte-common       1:0.28.2-5
ii  libx11-6            2:1.6.0-1

libvte9 recommends no packages.

libvte9 suggests no packages.

-- no debconf information

More information about the pkg-gnome-maintainers mailing list