XMir Has A Big Security Problem With VT Switching

Written by Michael Larabel in Ubuntu on 22 August 2013 at 08:35 AM EDT. 71 Comments
UBUNTU
A rather glaring security issue has been present in Canonical's XMir component for its new Mir display server, but there's been very little action in addressing the problem.

The security problem with XMir is that if you switch away from it -- such as the Unity 7 desktop running on XMir as Radeon/Intel/Nouveau users will find in Ubuntu 13.10 -- to say a virtual terminal, the XMir session still has access to the input devices. Mir isn't informing XMir when a VT switch occurs and thus this X11 compatibility layer still has access to any input devices, which mean they can read what you're typing.

Matthew Garrett wrote about this issue on his blog. For explaining this issue in a straightforward manner, "Open a terminal or text editor under Xmir and make sure it has focus. Hit ctrl+alt+f1 and log in. Hit ctlr+alt+f7 again. Your username and password will be sitting in the window."

This is a fairly big deal since XMir will be used by the default Unity desktop in Ubuntu 13.10. The bug has been known by Canonical for the past month and a half, but it hasn't been resolved and since then the Mir packages have been promoted to the main archive.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week