A rather glaring security issue has been present in Canonical's XMir component for its new Mir display server, but there's been very little action in addressing the problem.
The security problem with XMir is that if you switch away from it -- such as the Unity 7 desktop running on XMir as Radeon/Intel/Nouveau users will find in Ubuntu 13.10 -- to say a virtual terminal, the XMir session still has access to the input devices. Mir isn't informing XMir when a VT switch occurs and thus this X11 compatibility layer still has access to any input devices, which mean they can read what you're typing.
Matthew Garrett wrote about this issue on his blog
. For explaining this issue in a straightforward manner, "Open a terminal or text editor under Xmir and make sure it has focus. Hit ctrl+alt+f1 and log in. Hit ctlr+alt+f7 again. Your username and password will be sitting in the window."
This is a fairly big deal since XMir will be used by the default Unity desktop in Ubuntu 13.10. The bug has been known by Canonical for the past month and a half, but it hasn't been resolved and since then the Mir packages have been promoted to the main archive.