Setting to new because he submitted it upstream.
** Changed in: gnome-keyring (Ubuntu)
Status: Incomplete => New
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to gnome-keyring in Ubuntu.
https://bugs.launchpad.net/bugs/1772919
Title:
pam-gnome-keyring.so reveals user’s password credential as a plaintext
form
Status in gnome-keyring package in Ubuntu:
New
Bug description:
When I perform memory dump of session-child process, user’s login
credential, including user accounts and their password, is revealed as
a plaintext form.
In ‘pam_sm_authenticate’ function, user’s password is stored in the
heap memory of ‘pam_handle->data” to perform unlock the keyring in
later.
After unlocking the keyring, the pam module does not free/overwrite
the memory area though the password is no longer used.
We thus could find user’s login credentials.
This raises concerns over the credential being misused for illegal
behavior, such as acquiring user’s session key.
It would be better to clean the heap memory.
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: gnome-keyring 3.18.3-0ubuntu2
ProcVersionSignature: Ubuntu 4.13.0-36.40~16.04.1-generic 4.13.13
Uname: Linux 4.13.0-36-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.15
Architecture: amd64
CurrentDesktop: Unity
Date: Wed May 23 22:53:12 2018
InstallationDate: Installed on 2018-04-20 (32 days ago)
InstallationMedia: Ubuntu 16.04.4 LTS "Xenial Xerus" - Release amd64
(20180228)
SourcePackage: gnome-keyring
UpgradeStatus: No upgrade log present (probably fresh install)
upstart.gnome-keyring-ssh.log: grep:
/home/sungjungk/.config/autostart/gnome-keyring-ssh.desktop: No such file or
directory
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/1772919/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
