The xfce terminal is vulnerable to keyboard snooping with programs such as ixkeylog (http://dornea.nu/projects/ixkeylog) The gnome-terminal program is not vulnerable, because it follows techniques discussed here: http://comments.gmane.org/gmane.comp.gnome.hackers/496 In particular XGrabKeyboard() is a good idea?
Why is this marked as "invalid"? Shouldn't this bug should be fixed at some point?
This is nothing to fix in terminal. Have you actually ready the discussion?
(In reply to comment #2) > This is nothing to fix in terminal. Have you actually ready the discussion? I am a bit disappointed by your manner. I took another look at the discussion... it looks like the Xsecurity extension could solve the problem properly. This still seems like a good idea to me (despite Jim Gettys' unexplained skepticism -- if someone owns my xchat client or web browser, I wouldn't want them to be able to sniff or plant commands into my terminal.) gnome-terminal and vte do not implement the Xsecurity stuff, so I'm not sure why it didn't succomb to my tests with ixkeylog. In the meantime, I think it would make sense for the documentation to mention this vulnerability, and to leave a bug open so that this issue doesn't get forgotten about.
If so, this should be fixed by vte, not the application around it since it does no grabbing nor handing of the input. That said, every application under linux becomes vulnerable if you can hook into x events. But bug its only useful if they should be fixed by the application, not if its an issue somewhere else.
(In reply to comment #4) > If so, this should be fixed by vte, not the application around it since it > does no grabbing nor handing of the input. That said, every application > under linux becomes vulnerable if you can hook into x events. > > But bug its only useful if they should be fixed by the application, not if > its an issue somewhere else. Thanks for the thoughtful answer. I agree that all applications should be fixed, but that the terminal is especially important because it often hosts su/sudo sessions which are both privileged and general-purpose (as opposed to, say, update-manager...) I think it's important to alert users of vulnerabilities -- users won't know to read the libvte documentation. I think most users would be quite surprised to learn about this problem. Security vulnerabilities are unlike other problems, and I think they require a special approach. If this were merely a font rendering issue, I would agree that it would only make sense to record this as a bug in vte. By giving the problem more publicity, people are more likely to volunteer to try to fix it properly. Of course, I certainly wouldn't want to "blame" your excellent and generous work on this vulnerability.