This bug was fixed in the package gnome-keyring - 3.10.1-1ubuntu4.4 --------------- gnome-keyring (3.10.1-1ubuntu4.4) trusty-security; urgency=medium
* SECURITY UPDATE: credentials exposed in memory (LP: #1772919) - debian/patches/CVE-2018-20781.patch: destroy the password in pam_sm_open_session in pam/gkr-pam-module.c. - CVE-2018-20781 -- Marc Deslauriers <marc.deslauri...@ubuntu.com> Thu, 14 Feb 2019 08:32:24 -0500 ** Changed in: gnome-keyring (Ubuntu Trusty) Status: Confirmed => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-20781 -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1772919 Title: pam-gnome-keyring.so reveals user’s password credential as a plaintext form Status in gnome-keyring package in Ubuntu: Fix Released Status in gnome-keyring source package in Trusty: Fix Released Status in gnome-keyring source package in Xenial: Confirmed Bug description: When I perform memory dump of session-child process, user’s login credential, including user accounts and their password, is revealed as a plaintext form. In ‘pam_sm_authenticate’ function, user’s password is stored in the heap memory of ‘pam_handle->data” to perform unlock the keyring in later. After unlocking the keyring, the pam module does not free/overwrite the memory area though the password is no longer used. We thus could find user’s login credentials. This raises concerns over the credential being misused for illegal behavior, such as acquiring user’s session key. It would be better to clean the heap memory. ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: gnome-keyring 3.18.3-0ubuntu2 ProcVersionSignature: Ubuntu 4.13.0-36.40~16.04.1-generic 4.13.13 Uname: Linux 4.13.0-36-generic x86_64 ApportVersion: 2.20.1-0ubuntu2.15 Architecture: amd64 CurrentDesktop: Unity Date: Wed May 23 22:53:12 2018 InstallationDate: Installed on 2018-04-20 (32 days ago) InstallationMedia: Ubuntu 16.04.4 LTS "Xenial Xerus" - Release amd64 (20180228) SourcePackage: gnome-keyring UpgradeStatus: No upgrade log present (probably fresh install) upstart.gnome-keyring-ssh.log: grep: /home/sungjungk/.config/autostart/gnome-keyring-ssh.desktop: No such file or directory To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/1772919/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp