Package: libvte9 Version: 1:0.28.2-5 Severity: normal Tags: upstream Control: forwarded -1 https://bugzilla.gnome.org/show_bug.cgi?id=664611
Hello GNOME Team, I'd like to raise awareness of this bug in libVTE: http://www.climagic.org/bugreports/libvte-scrollback-written-to-disk.html (excerpt below) Please see the upstream bug [1] and another bug that describes another problem [2] (disk does not go idle) caused by this. I talked to security team today, and it looks like they have no interest in this issue, but I still would like to see it fixed. There is a launchpad bug [3] for Ubuntu, with a patch providing a proper memory scrollback buffer. Thanks Markus Frosch [1] https://bugzilla.gnome.org/show_bug.cgi?id=664611 [2] https://bugzilla.gnome.org/show_bug.cgi?id=631685 [3] https://bugs.launchpad.net/ubuntu/+source/vte/+bug/778872 [ excerpt from this page ] Summary: ----------------------------------------------------------------------- Due to the way the terminal's scrollback history buffer (not shell command history) is saved in terminal emulators using libVTE after version 0.21.6, data from inside your terminal window can end up on your local filesystem. This is most likely unexpected behavior in a terminal emulator and represents a very significant security issue. Worse case scenario: ----------------------------------------------------------------------- Classified, secret or medical information that was accessed through a terminal window was thought to be safe because it was on a remote server and only accessed via SSH, but now its also on the hard drive that is for sale online or stolen without having been wiped because this issue was not accounted for. -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.9-1-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libvte9 depends on: ii libatk1.0-0 2.8.0-2 ii libc6 2.17-7 ii libcairo2 1.12.14-4 ii libfontconfig1 2.10.2-2 ii libfreetype6 2.4.9-1.1 ii libgdk-pixbuf2.0-0 2.28.2-1 ii libglib2.0-0 2.36.3-3 ii libgtk2.0-0 2.24.20-1 ii libncurses5 5.9+20130608-1 ii libpango1.0-0 1.32.5-5+b1 ii libtinfo5 5.9+20130608-1 ii libvte-common 1:0.28.2-5 ii libx11-6 2:1.6.0-1 libvte9 recommends no packages. libvte9 suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
