Security Issue While Switching Between Virtual Terminals On Canonical’s XMir

A big security issue has been descovered at Canonical’s XMir display server, but until know, nobody fixed it.

The virtual terminal implementation on Mir is simple, it listens for input events whenever a key is pressed simultaneously, with CTRL or ALT. The problem is that Mir does not announce XMir to stop XMir from recording the input events, when needed.

The problem is that sensitive information, such as usernames and passwords may appear in other X sessions, and this creates a security leaks. To be more precise: open a terminal under XMir and hit CTRL + ALT + F1 to log in,  if you press Ctrl + Alt + F7 the username and password will be sitting in the window.

This bug was signaled more than a month ago, but nobody fixed it. A while ago, Mir was added to the Ubuntu 13.10 Saucy Salamander default repositories.

As you may know, Canonical decided to replace the good old server with Mir, their own display server, in order to use it on both Ubuntu Touch and Ubuntu 13.10 Saucy Salamander and higher. The developers aim to get Mir ready until the 29th of August, when it gets in the Feature Freeze state.

If you are a bleeding edge technology enthusiast and want to test the Mir display server on Ubuntu 13.10 Saucy Salamander, do this:

$ sudo apt-get update
$ sudo apt-get dist-upgrade
$ sudo apt-get install mir-demos unity-system-compositor

Tagged with: , , , , , , ,
Posted in The Linux and Unix Articles!

Leave a Reply

Your email address will not be published. Required fields are marked *




Subscribe to get the latest Linux news and how to guides directly on your e-mail!