Bug#474024: gksu: locking mouse/keyboard not enough to protect against keylogging
Josselin Mouette
joss at debian.org
Sat Apr 26 21:19:10 UTC 2008
severity 474024 important
tag 474024 + security
thanks
Le mercredi 02 avril 2008 à 22:53 +0300, Timo Lindfors a écrit :
> man gksu mentions that gksu can "lock" keyboard, mouse and focus
> before it asks for a password. This can easily give the misconception
> that other programs running with the privileges of the user could not
> capture the password.
> This claim is untrue since a malicious application running with the
> privileges of the user can run
>
> strace -p `pidof gksu` -s 4096 -o strace.out
>
> and later recover the password (here "test1234") from strace.out:
Indeed, gksu should be made setgid something to protect against such
attacks.
Cheers,
--
.''`.
: :' : We are debian.org. Lower your prices, surrender your code.
`. `' We will add your hardware and software distinctiveness to
`- our own. Resistance is futile.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Ceci est une partie de message
=?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=
Url : http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20080426/e2ac6553/attachment.pgp
More information about the pkg-gnome-maintainers
mailing list