Bug#474024: Fixed upstream?
Josselin Mouette
joss at debian.org
Sun Oct 31 06:38:55 UTC 2010
Le samedi 30 octobre 2010 à 23:36 +0200, Yury V. Zaytsev a écrit :
> $ wget ftp://ftp.freebsd.org/pub/FreeBSD/ports/distfiles/xspy-1.0c.tar.gz
> $ tar -xzvf xspy-1.0c.tar.gz
> $ gcc *.c -lX11 -DNULL=0 -o xspy
> $ ./xspy
>
> $ gksu /bin/true
>
> Enjoy reading your password and there's even no need to ptrace anything:
> just query the keymap repeatedly and that's it. Maybe worth to note,
> that this "exploit" has been out there for 8 years, at least...
>
> Considering the above, I would actually claim that gksu IS ineffective
> as it is shipped now and I can't see how this issue could possibly be
> fixed-upstream by applying a patch adding a warning to the man page.
If you ever believed that there is *any* way to prevent a program having
access to your session to obtain root access when you use the same
session to do stuff as root, you have been abused. It’s possible to make
things harder, but the purpose of locking keyboard and mouse is to avoid
leaking *accidentally* the password. If there is a malicious program
running in your session, you are completely screwed.
--
.''`. Josselin Mouette
: :' :
`. `' “If you behave this way because you are blackmailed by someone,
`- […] I will see what I can do for you.” -- Jörg Schilling
More information about the pkg-gnome-maintainers
mailing list