Bug#719004: marked as done (fprintd-enroll does not ask for user password before recording fingerprints (security issue))

Tue, 01 Dec 2020 05:45:22 -0800 

Your message dated Tue, 01 Dec 2020 13:42:03 +0000
with message-id <[email protected]>
and subject line Bug#719004: fixed in fprintd 1.90.4-1
has caused the Debian Bug report #719004,
regarding fprintd-enroll does not ask for user password before recording 
fingerprints (security issue)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
719004: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=719004
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 

Package: frpintd
Version: 0.4.1-5-g73edad0-3

fprintd-enroll records fingerprints an enables fingerprint authentification
without asking for a password for users. This creates a security issue, as
shown in the following example: 

in an open session of a computer with a fingerprint reader, with fprintd and
sudo installed and with the current user member of sudoers, do:

$ fprintd-enroll

record your fingerprint, then:

$ sudo su -

enter your fingerprint

#

you are now root without having typed a single password. I believe the
correct behavior for fprintd-enroll should be to ask for the user password 
before
recording the fingerprint, like for password changes.

I am using debian stable (wheezy) with backports enabled on amd64 (Linux
mobilis 3.2.0-4-amd64 #1 SMP Debian 3.2.46-1 x86_64 GNU/Linux)

--- End Message ---
--- Begin Message --- 
Source: fprintd
Source-Version: 1.90.4-1
Done: Laurent Bigonville <[email protected]>

We believe that the bug you reported is fixed in the latest version of
fprintd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laurent Bigonville <[email protected]> (supplier of updated fprintd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 01 Dec 2020 13:06:59 +0100
Source: fprintd
Architecture: source
Version: 1.90.4-1
Distribution: unstable
Urgency: medium
Maintainer: FingerForce Team <[email protected]>
Changed-By: Laurent Bigonville <[email protected]>
Closes: 719004 955893
Changes:
 fprintd (1.90.4-1) unstable; urgency=medium
 .
   * Team upload.
   [ Marco Trevisan (TreviƱo) ]
   * New upstream release:
     - Use GDBus and async Polkit checks
     - Authentication is now required to enroll a new print (LP: #1532264,
       Closes: #719004)
     - Add support for the libfprint early reporting mechanism
     - Proper hotplug support together with libfprint 1.90.4
     - Handle STATE_DIRECTORY containing multiple paths
     - Various memory fixes (LP: #1888495)
   * debian/control:
     - Remove build dependency on dbus-glib (Closes: #955893)
     - Mark as <!nocheck> the packages required only for testing
     - Use debhelper 13
     - Bump libfprint-2 dependency on 1.90.4 on test case
   * debian/rules:
     - remove unneeded override to force --fail-missing (as per dh 13)
     - Increase tests timeout multiplier
   * debian/patches:
     - Refresh
     - Define auto-pointers functions if not defined:
       Fixes a build failure with debian polkit version.
     - Cleanup pam-wrapper temporary dir when running tests
     - Fix dbus-policy file to address lintian
     - Ensure we generate debug symbols in debian builds
 .
   [ Laurent Bigonville ]
   * debian/control: Bump Standards-Version to 4.5.1 (no further changes)
Checksums-Sha1:
 4c6fb867343f510ea2c47179c061c043c89b71e5 2177 fprintd_1.90.4-1.dsc
 2256c40844c7a855b39d9490111361289fb6bf7c 625799 fprintd_1.90.4.orig.tar.bz2
 51e3942e5f232767247e1f10a6f69de99898186c 9000 fprintd_1.90.4-1.debian.tar.xz
 36523d5c5a342a40746dea7dc3aeaeba309f7a50 8403 fprintd_1.90.4-1_source.buildinfo
Checksums-Sha256:
 eb96648db86608c57f0eeabc5266c87094d033ba20815884e9d71aa3ae34ef38 2177 
fprintd_1.90.4-1.dsc
 12b2b82e15c25a33be3e1ced9d4901fb2b8c94ced6f0946ad79e900f3d2c3fa9 625799 
fprintd_1.90.4.orig.tar.bz2
 a64b795513bd6bc19265197f47c406f81cac46e149ddbfe5ea64858969ef1a78 9000 
fprintd_1.90.4-1.debian.tar.xz
 298e9f41d661643cbb98b5daea76374e81f9b171427d97951506ff55fa9d7e17 8403 
fprintd_1.90.4-1_source.buildinfo
Files:
 fb52d86061259bf5907d671283c2ef15 2177 misc optional fprintd_1.90.4-1.dsc
 0c928894f291e5200f5fa8dbad220a9e 625799 misc optional 
fprintd_1.90.4.orig.tar.bz2
 aef21ac4db54d7fa922dfb4c2a96d9a5 9000 misc optional 
fprintd_1.90.4-1.debian.tar.xz
 8de8844d25bf50819d0e3c16b5d145fd 8403 misc optional 
fprintd_1.90.4-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQFFBAEBCAAvFiEEmRrdqQAhuF2x31DwH8WJHrqwQ9UFAl/GP2IRHGJpZ29uQGRl
Ymlhbi5vcmcACgkQH8WJHrqwQ9VNNgf+InmyCbppmawJ+pWVeWWxtbkf1chaVbIz
0ngv4tl2YthiwXC50Lecop8z8+uRRYguNxTAHP9VkIAos21dRxqOZqM1FQfJyd0x
dgD+2waymDYm1C4+OXxtnuSqwvRe0n2/Jo8GhsvC7dw93gheIdAbMI4QaSFNwhJD
+EclvxumfEVpoAp4+Mn+iPUVx1wP4UM3i3ax0ajT2zWkREpMXjlKpBdwzb/XHbHV
OJw4xp4vmjDy16tmEbxekJ6KE996W7yBcrnBqbPXtCvdWXaNK0dzHnCF2kQ7ckaa
f9ebvYOiXt+h9v0NG1/Ugn/ljCcbJQiMqJ0VzyW+rXYYReYBvBsOvQ==
=9SPj
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to