Package: systemd Version: 231-2 Severity: critical Tags: security [Severity and tag due to the likely possibility of exposing user passwords this way. If this occurs with the version in jessie as well, it'll require a security update.]
After running "systemctl daemon-reexec" from within an X session, all keystrokes in the X session (including passwords) appear on the underlying text console as well. They show up during the shutdown process, or any other time X stops. Since systemd's postinst runs "systemctl daemon-reexec" on upgrades, this would occur in any session after upgrading the systemd package. I can reliably reproduce this, either by upgrading or downgrading the systemd package, or by running "systemctl daemon-reexec" (as root). This might potentially explain the mention in bug 819500 of seeing usernames and passwords on the console, as well. This would only happen in a session after upgrading systemd or otherwise running "systemctl daemon-reexec", which would explain not seeing it every time. -- Package-specific info: -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.7.0-rc7-amd64 (SMP w/4 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages systemd depends on: ii adduser 3.115 ii libacl1 2.2.52-3 ii libapparmor1 2.10.95-4 ii libaudit1 1:2.6.5-1 ii libblkid1 2.28-6 ii libc6 2.23-4 ii libcap2 1:2.25-1 ii libcap2-bin 1:2.25-1 ii libcryptsetup4 2:1.7.0-2 ii libgcrypt20 1.7.2-2 ii libgpg-error0 1.24-1 ii libidn11 1.33-1 ii libkmod2 22-1.1 ii liblzma5 5.1.1alpha+20120614-2.1 ii libmount1 2.28-6 ii libpam0g 1.1.8-3.3 ii libseccomp2 2.3.1-2 ii libselinux1 2.5-3 ii libsystemd0 231-2 ii mount 2.28-6 ii util-linux 2.28-6 Versions of packages systemd recommends: ii dbus 1.10.8-1 ii libpam-systemd 231-2 Versions of packages systemd suggests: ii policykit-1 0.105-16 pn systemd-container <none> pn systemd-ui <none> Versions of packages systemd is related to: ii udev 231-2 -- no debconf information