Forgot your password?
typodupeerror
GNOME Security IT Linux

Data Breach Flaw Found In Gnome-terminal, Xfce Terminal and Terminator 184

Posted by timothy
from the so-it-can-be-fixed-now dept.
suso writes "A design flaw in the VTE library was published this week. The VTE library provides the terminal widget and manages the scrollback buffer in many popular terminal emulators including gnome-terminal, xfce4-terminal, terminator and guake. Due to this flaw, your scrollback buffer ends up on your /tmp filesystem over time and can be viewed by anyone who gets ahold of your hard drive. Including data passed back through an SSH connection. A demonstration video was also made to make the problem more obvious. Anyone using these terminals or others based on libVTE should be aware of this issue as it even writes data passed back through an SSH connection to your local disk. Instructions are also included for how to properly deal with the leaked data on your hard drive. You are either encouraged to switch terminals and/or start using tmpfs for your /tmp partition until the library is fixed."
This discussion has been archived. No new comments can be posted.

Data Breach Flaw Found In Gnome-terminal, Xfce Terminal and Terminator

Comments Filter:
  • by Mysticalfruit (533341) on Thursday March 08, 2012 @12:22PM (#39289093) Journal
    considering how much /tmp gets used, having it in memory is one of the quickest ways to boost the performance of your system...
  • Umm (Score:4, Interesting)

    by Viol8 (599362) on Thursday March 08, 2012 @12:25PM (#39289143)

    If someone has physically stolen your computer then the thief being able to read old terminal sessions is the least of your worries.

  • Re:Overblown (Score:0, Interesting)

    by Anonymous Coward on Thursday March 08, 2012 @02:46PM (#39291257)

    Funny, Behdad, I thought you weren't going to pay attention to this bug: https://bugzilla.gnome.org/show_bug.cgi?id=664611 [gnome.org]

    I suppose once your name hit Slashdot you decided to change your tune, did you? Because it sure sounds like you're an arrogant prick from the thread you and Andre are trying to suppress.

  • Re:Umm (Score:4, Interesting)

    by Shark (78448) on Thursday March 08, 2012 @06:45PM (#39294801)

    Bug aside, from reading the rest of these threads, it seems to me like GNOME devs are getting quite a bad reputation these days. Sure, there's no way to make everyone happy and I wouldn't expect anyone to undertake this sort of impossible challenge. This being said, all the scorn must come from somewhere. My humble opinion is that once you reach a critical mass of users, enforcing a new grand-vision that the majority of those users (the ones who acutally chose to use GNOME, not those who don't know what a DE is) do not agree with is very likely to cause quite a bit of backlash... Case in point, GNOME developers as a whole being bashed for what essentially is one bug in one lib by one person.

    Sure, there's a large portion of users who aren't technical whom one might think they are catering to when they remove features considered 'too complex'. The fact is though that these are the people who don't even care what DE they're using, they're not loyal customers, they're just not interested in what you've done so long as it works for them. The only base GNOME has truly alienated is the base that had made a very conscious and educated choice to use that DE on its technical merits, the ones who felt that the DE allowed them to work the way they want to work. Sure you can change all that but only at the cost of those users. They don't take kindly to what pretty much amounts to: Look, the way you used your computer is stupid, we'll force our alternative on you.

    So, as the flames rage on and you feel the burn, remember that the GNOME team doused itself in gasoline prior to this.

  • Re:Umm (Score:4, Interesting)

    by Whitemice (139408) on Friday March 09, 2012 @07:00AM (#39299191) Homepage

    I'm a long time GNOME user, not a GNOME developer.

    Bug aside, from reading the rest of these threads, it seems to me like GNOME devs are getting quite a bad reputation these days

    Nope, they rock. When KDE did there big roll-out of KDE4 the lists *EXPLODED* with the wailing and gnashing of teeth. KDE4 arrived stable and that loud minority either adapted or went on the something else. Much the same thing happened with GNOME3 - although less than I expected. I moved to GNOME3 from GNOME2 and within a week it was clear that it was a superior system. But some adaptation was required.

    And this particular bug is nonsense. Basically: if someone steals your harddrive they can read your data! Really? Wow, that's a surprise. This has always been true, is true of /home, /var. and everything else unless you encrypt everything.

    This being said, all the scorn must come from somewhere.

    Yes, it comes from a vocal minority who don't realize all these changes where discussed and made out-in-the-open. Now they enjoy pitching a fit and claiming the design changes are somehow being forced upon them.

    My humble opinion is that once you reach a critical mass of users, enforcing a new grand-vision that the majority of those users (the ones who acutally chose to use GNOME,

    Well, I'm one that uses GNOME ~9 hours a day. For work.

    GNOME developers as a whole being bashed for what essentially is one bug in one lib by one person.

    Eh. Spend time producing ANY kind of content and you'll eventually get someone who thinks they can get themselves some BLOG karma by bashing you.

    The only base GNOME has truly alienated is the base that had made a very conscious and educated choice to use that DE on its technical merits, the ones who felt that the DE allowed them to work the way they want to work.

    I want to work efficiently. GNOME3 lets me do that... more than GNOME2 did. This is an important distinction from, based on mail list traffic, people who apparently *NEED* to see the real-time weather report for three cities in the panel clock in order to be productive. I think the group primarily 'alienated' by GNOME3 are the "tweakers". They have a computer almost for the sole purpose of tweaking the appearance of the user-interface. One reads much of those posts and says "eh? really? don't you have something to *do*.".

    we'll force our alternative on you.

    The use of the term "force" in this context is bogus.

    remember that the GNOME team doused itself in gasoline prior to this

    Nah, they doused themselves with awesome.

Nothing is impossible for the man who doesn't have to do it himself. -- A.H. Weiler

Working...