Slashdot Mirror
Data Breach Flaw Found In Gnome-terminal, Xfce Terminal and Terminator
suso writes "A design flaw in the VTE library was published this week. The VTE library provides the terminal widget and manages the scrollback buffer in many popular terminal emulators including gnome-terminal, xfce4-terminal, terminator and guake. Due to this flaw, your scrollback buffer ends up on your /tmp filesystem over time and can be viewed by anyone who gets ahold of your hard drive. Including data passed back through an SSH connection. A demonstration video was also made to make the problem more obvious. Anyone using these terminals or others based on libVTE should be aware of this issue as it even writes data passed back through an SSH connection to your local disk. Instructions are also included for how to properly deal with the leaked data on your hard drive. You are either encouraged to switch terminals and/or start using tmpfs for your /tmp partition until the library is fixed."
We have a means to strike back at Skynet using this breach in the Terminator systems!
"Lack of speed can be overcome. In the worst case by patience." --Znork
...to have my command history stolen!
Shoot the VTE lib. Gimmie back my ASR 33.
You have to be root (or the user who was running terminal in the first place) to see the scrollback data.
So, how is this different than all of the hack-tastic things that root can already do?
Just because it's a bug report for a terminal emulator, doesn't mean it has to look like it's in a terminal emulator...
it rocks!
I would have responded sooner but this beachball would NOT go away.
Aterm seems to be ok.
i don't see it listed as using libVTE
http://packages.debian.org/wheezy/aterm
This really sounds like how it was designed to work.
Thats what /tmp is for, after all, is it not? Sounds like the problem would be solved by partitioning different users data into seperate, appropriately secured /tmp files.
Is bash history a "flaw" too? I'm sure plenty of people don't know that it's a text file anybody with access to it can read.
Once you go tmpfs, why would you ever go back, VTE flaws or not? tmpfs kicks ass.
Then encrypt your swap (random key every boot; you don't even need to know a key to be coerced from you) and you have a safe /tmp.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Interesting choice of inspirational quote:
The same applies to blame, Behdad.
If you were blocking sigs, you wouldn't have to read this.
You got that half right.
Great minds think alike; fools seldom differ.
This is not a bug. This is exactly how /tmp is meant to be used. It is no different from sensitive data from your internet cache being stored on the hard drive.
If your garbage data is sensitive, you should encrypt /tmp, or mount a tmpfs there.
This is true of vi and many other programs. The exact same issue occurs with the swap partition.
Anyone can solve this problem, just mount /tmp and swap using dm-crypt with a new random password every reboot. The partitions are perfectly good while the computer is booted, but are inintelligible afterwards.
Well?
Aside from that, any /tmp (physical or volatile) can be a problem on a multiuser system if the app is dumb enough to create files with go+r permissions. If this isn't done, those files are as secure as any in my home directory.
Have gnu, will travel.
considering how much /tmp gets used, having it in memory is one of the quickest ways to boost the performance of your system...
Yes Francis, the world has gone crazy.
For making /tmp out of the virtual memory pool - there is no *on disk* image to read. when the box is rebooted, /tmp is empty - always.
If someone has physically stolen your computer then the thief being able to read old terminal sessions is the least of your worries.
Various shells store command history as a .[shell name]_history file in the users home directory which can be left between sessions. Thats happened for years and root can view that too.
Sure, this may be a bug but frankly its a non issue.
That would be in your .bash_history file (or whatever you name it locally).
Really, this is way overblown by calling it a "data breach": it's not as if your data is compromised to a remote attacker. It requires that somebody else has your disk. As we all know, if your hardware is stolen/confiscated/impounded/seized/whatever, only encryption can keep your data safe. Apparently, even that can be circumvented by legal compulsion.
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
Nothing to see here, and moving on .. so you have access to the tmp directory which may have a record of what you viewed during the session ...
AccountKiller
Does this impact KDE's Konsole, too?
Now get of my lawn!
I thought linux systems were bulletproof ?!
ever since MGT withered on the vine.
If I were the author of this library I'd be a little annoyed. The article is written as if the library does something wrong. It does not. It stores data on /tmp, which is there to be used as scratch space. To read the file you have to be the owner or root, which has been true of every process that has written there since before my years. This is perfect correct.
Okay some uses might not expected their terminal emulator to keep temporary files. Yes if your disk is appropriated someone not root in your environment might be able to read it. Which is true of basically any process that writes anything to disk anywhere; even ones that don't. Suppose my system is under enough VM pressure that my good old fashion xterm gets paged out? Why scroll back buffer data, which might even have come from SSH would be right there on my disk! OH! NOS!
If you are dealing with a system that is physically insecure, like a laptop, or machine in a public spot, or information that is so sensitive you'd be more concerned about it being out there than the fact that your hard disk or entire system has gone missing; there is a solution for that. Its called disk encryption! If you use Linux it won't even cost you anything!
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
Just take a look at what the GNOME developers call "community relations" these days:
https://bugzilla.gnome.org/show_bug.cgi?id=664611
The very first person that tries to protest the lack of response by the VTE developers gets his account disabled immediately. And people wonder why GNOME 3 is such a clusterfuck, it's full of people like Behdad.
Seriously. Disable scrollback and use screen. You're life will improve.
..that you once owned, you have a much bigger problem than your scrollback buffer.
AES-NI makes encryption almost free. There's no reason not to use it.
sudo apt-get install putty?
This is truly a non-issue. If your machine has swap, then ANYTHING in memory can end up on the disk. The data is not exposed in a way that it can be grabbed by other users, you would have to dig through the disk image to find the unlinked file.
Very simply, if you ever dispose of or sell a hard drive, you MUST wipe it first. If a drive fails and you want to make sure no data gets out when you throw it away, you must destroy the platters.
SSH has nothing to do with this. It is not and never was a magic faery wand that prevents data disclosure. Once the data gets from remote to local, its job is done.
Anonymous Coward,
You may want to read the end of this comment before jumping to conclusions:
https://bugzilla.gnome.org/show_bug.cgi?id=664611#c10
Ie. I offered to fix it, before the report was published. And the report is deliberately misinformed to make it look like I said I don't have any intention to fix it. And the report author tweetted [1] "Apparently not a lot of people read Slashdot anymore or RTFA. I've only had 971 hits to the article so far. :-(", which makes me believe that his true intention was to get Slashdot / Reddit / Hacker News bragging rights. Comes handy if you are a sysadmin I guess...
behdad
[1] https://twitter.com/#!/climagic/status/177796284755873793
I have read the thread, actually, and I saw your childish non-responses that resulted in this blowing up in the first place. As far as I'm concerned the motivations of the author don't matter, and they shouldn't matter to _YOU_ either. If the bug still exists, and it does, you should be _IGNORING_ his intentions and working on fixing the security vulnerability, not scurrying about on Slashdot trying to defend yourself when you've already proven your position indefensible.
I'm personally quite glad that I switched to KDE 4.8. It's stable, offers more features than GNOME 3 ever _will_ offer, and best of all, Behdad? It doesn't have people like you working on it, which means that a security vulnerability will be given the attention it's due, not put on the backburner because somebody on the Internet hurt your feelings. Grow the hell up. You've embarrassed yourself enough already, time to either fix your damn code or step aside and let someone more capable do the job.
From your link, you offered 3 suggestions as to how you might fix this, then the submitted said that he didn't like the code writing to /tmp at all, and that you should remove the offending code *instead* of any of your suggestions.
You then threw your toys out of the pram, saying that he should comment on your suggestions (WTF? He did! He doesn't want you to implement any of them!), suggested he should fork VTE(!!!!!), and then behaved like a rude 4 year old for the rest of the thread.
You even managed to get another user banned, even though his only crime was to descend to *your* level.
This is a shining example of how open source should *not* work. You should be ashamed of yourself.
Yet another reason to use a VT100 hooked up to the serial port !
So if someone had your physical disk, they'd have your SSH private key too that you used to log on to another host and run commands, so wouldn't you have much bigger problems?
I opened this bug back in 2011: https://bugs.launchpad.net/ubuntu/+source/vte/+bug/778872 I've also fixed it now. See the patch: https://bugs.launchpad.net/ubuntu/+source/vte/+bug/778872/+attachment/2836456/+files/stream-mem.patch
Although Behdad is behaving irresponsibly, Konsole is also affected hence KDE.
As a user I hope that the root of the machine cannot see what's on my screen, security, privacy and else, you know, stuff...
cd /proc/25044/fd /tmp/vteDN7ZAW (deleted) /tmp/vteHZ7ZAW (deleted) /tmp/vteQZ7ZAW (deleted)
Check for deleted tmp files.
lrwx------ 1 hakan hakan 64 2012-03-08 21:32 24 ->
lrwx------ 1 hakan hakan 64 2012-03-08 21:32 25 ->
lrwx------ 1 hakan hakan 64 2012-03-08 21:32 26 ->
Let's have a peek, head 25 gives me:
hakan@photon:21:28:40:~$ find . ./.mplayer ./.mplayer/gui.pl ./.mplayer/gui.history ./.mplayer/gui.conf ./.mplayer/config ./.mplayer/gui.url
.
That's exactly what I had typed on my just-installed-about-to-be-uninstalled gnome-term instance.
Yes, and which do you think will have that bug fixed first, judging by the way Behdad is behaving? Keep in mind he's the one that would actually be _FIXING_ the bug, if it ever gets fixed.
The ranks of GNOME 3's developers are literally _filled_ with people like him. Best to just drop the entire project and save yourself a lot of trouble as far as I'm concerned. Yes, Konsole is vulnerable now, but unlike Behdad the maintainers responsible for KDE actually care about security issues, they don't let their massive and unsavoury personalities get in the way of work being done. I'd be much more willing to trust my security to their code than anything written by that man-child, or _not_ written to be more precise. His suggestion to the initial reporter? Fork VTE and fix it yourself. Hell, there's a patch in the thread that was contributed by an Ubuntu developer no less and I doubt Behdad will even accept it. He'll probably delete the entire report just out of spite and leave millions of machines vulnerable to satisfy his masturbatory ego.
This is how you should implement unlimited scrollback, create a tmp file in /tmp and then unlink it so it will be freed on exit.
I'm hoping the VTE guys don't change to a less good implementation just because some idiot is screaming off rooftops, "The sky is blue! The sky is blue!"
Although Behdad is behaving irresponsibly, Konsole is also affected hence KDE.
Please! Pretty please tell me how Behdad is behaving irresponsibly?
I'd say EVERY PERSON IN THE WORLD (including YOU!) is behaving MORE irresponsible by not contributing to VTE themselves.......
Maybe I am an idiot, but what is wrong with limited scroll-back memory?
At least then people remember the use of scroll-lock. ;-)
Nope, they rock. When KDE did there big roll-out of KDE4 the lists *EXPLODED* with the wailing and gnashing of teeth. KDE4 arrived stable and that loud minority either adapted or went on the something else. Much the same thing happened with GNOME3 - although less than I expected. I moved to GNOME3 from GNOME2 and within a week it was clear that it was a superior system. But some adaptation was required.
it's not the same thing. The backlash against KDE4 was because it was released too soon, when it had many bugs and lacked feature parity with KDE3. The backlash against GNOME3 is because it was released at all--because it threw out what has been proven to work in favor of experimental ideas from self-appointed "designers"--because GNOME3, compared to GNOME2, is a developers' and designers' playground. GNOME3 should not have been called GNOME3, because it should not have been intended to replace GNOME2 at this time, if ever.
And this particular bug is nonsense. Basically: if someone steals your harddrive they can read your data! Really? Wow, that's a surprise. This has always been true, is true of /home, /var. and everything else unless you encrypt everything.
Why so dense? How'd you feel if you discovered that ffmpeg had been recording a video of your entire screen all the time, without your knowledge, dumping it to /tmp? Yeah, if someone gets your disk they can see what's on it--the point is that these things shouldn't be on the disk in the first place! The screen is a transient, ephemeral medium--to treat it as a semi-permanent medium by recording it to disk is breaking long-established convention, and to do it without announcing it in FLASHING RED LETTERS is to break users' trust. If you go to a web site and then delete your history/cache/etc, you can reasonably expect it to not be seen on your disk, unless someone puts forth a lot of effort looking for something that, from their perspective, might not even exist. But if your whole session is dumped to the disk separately, all someone has to do is look at that file. Even if it's deleted, recovering large chunks of one large file is easier than digging up old parts of a SQLite db and making something out of it.
Yes, it comes from a vocal minority who don't realize all these changes where discussed and made out-in-the-open. Now they enjoy pitching a fit and claiming the design changes are somehow being forced upon them.
Hahaha! Yeah, just like Congress! Their sessions are public record, so if they do something we don't like, why should we complain? They were discussed in the open!
At least we can try to vote better people into office. GNOME, however, consists of self-appointed experts. They abdicate any sense of responsibility to their many users in favor of their own, narrow-minded views. No, they have no legal responsibility to users, but I advocate a higher standard than the bare minimum: they know people depend on their software, so they should not play around willy-nilly with what they release as the standard version. If they want to experiment, fine--call it something else and release it separately!
I want to work efficiently. GNOME3 lets me do that... more than GNOME2 did. This is an important distinction from, based on mail list traffic, people who apparently *NEED* to see the real-time weather report for three cities in the panel clock in order to be productive. I think the group primarily 'alienated' by GNOME3 are the "tweakers". They have a computer almost for the sole purpose of tweaking the appearance of the user-interface. One reads much of those posts and says "eh? really? don't you have something to *do*.".
This condescending attitude is exemplary of what GNOME has become. "I don't want or need to do that--why should you? Get a life." I foresee GNOME self-destructing and splitting up into a bunch of forks that will sputter
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
The point is that this data should never have hit the disk in the first place. The screen is expected to be an ephemeral medium--not one recorded to disk automatically. How would you feel if you discovered that ffmpeg was recording your entire screen to /tmp/username.mpg without your knowledge? Sure, clear your browser cache and history and vacuum the dbs--but then all I need to do is find the stream of your desktop session video and play it back, and I'll be able to see most of what you did, even though it was unlinked, unless you also wipe that file byte-by-byte.
The principle is the same. To do this is a violation of long established conventions, and to do it without warning the user in BIG RED LETTERS is a violation of trust. To then downplay the issue is to dismiss reality.
Sure, you SSH in to a remote system and expect that data to hit the screen and then disappear into RAM's black hole of power-off-ness. But, oops, it was written to disk, and someone could dig it up?
The point is not that you could or should encrypt /tmp and swap--the point is that the screen's contents are not expected to hit the disk automatically.
"Those who consume the bulk of goods are those who make them. We must never forget this secret of our prosperity."
Yeah, how are we supposed to read it when you've had the bug closed to the public, Behdad? Care to answer that while you're desperately trying to save your reputation on Slashdot of all places? Somehow I doubt it.
Incidentally, folks, the reason that he closed the bug was that Kees Cook submitted a patch for it in the thread. Now why would Behdad be against a patch, particularly since in the thread that he's now closed to the public he expressed no interest whatsoever in dealing with the bug himself? Because Kees Cook is an Ubuntu developer and Behdad used to work for Redhat. In other words, Behdad's ego is so massive and bloated that he's not even going to let someone _else_ fix the problem, particularly if they're not a Redhat crony.
How is not responding childish? Maybe he was busy or had more things to do than respond to a bunch of whiny demanding nerds. If you're not paying for support you are entitled to absolutely nothing. Deal with it.
The "mighty mod down" (more like weak wuss tactic) and not disproving what was said? LMAO, you lose, losers.
fuck you goddamn windows monkeys. take your stupid asses to a different site that caters to your pussy ass windows machine.