Re: [Bug 1803993] Re: Password appears on the VT1 screen
HI Seth, Sorry. It is plymouth 0.9.3ubuntu7.18.04.1 amd64 On Tue, Nov 20, 2018 at 5:35 PM Seth Arnold <1803...@bugs.launchpad.net> wrote: > Hello Thomas, sadly you only got half of the version number. Can you > please paste in the full version number? > > Thanks > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/1803993 > > Title: > Password appears on the VT1 screen > > Status in gdm3 package in Ubuntu: > Incomplete > Status in plymouth package in Ubuntu: > Incomplete > > Bug description: > This was found when an administrative error made /home directory > inaccessible. Any users that tried to login after that, were not able > to (which is expected) but their password appears on the VT1 screen. > Under normal circumstances, VT1 is not visible. But once the system > was sent into this compromised mode, one can press ctrl+alt+F1 and > then ctrl+alt+F2 and get a momentary glance at VT1. One can keep > toggling between these key combinations in order to make out the > password(s) on VT1. > > As a further test, I wanted to see if a non-super user could cause > this condition, and it is in fact possible. As a regular user, I made > their own home directory not writable and then removed ~/.config and > logged out. Then logged in as that user again, and although that user > can't login the system does go into that mode where passwords appear > on VT1 and are viewable with the key combinations mentioned herein. > Further, any other users that login will see no problem, but when they > logon their passwords also appear on VT1 and are viewable. > > ProblemType: Bug > DistroRelease: Ubuntu 18.04 > Package: gdm3 3.28.3-0ubuntu18.04.3 > Uname: Linux 4.19.2-041902-generic x86_64 > ApportVersion: 2.20.9-0ubuntu7.5 > Architecture: amd64 > CurrentDesktop: ubuntu:GNOME > Date: Mon Nov 19 08:32:59 2018 > InstallationDate: Installed on 2018-08-25 (85 days ago) > InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 > (20180426) > ProcEnviron: >TERM=xterm-256color >PATH=(custom, no user) >XDG_RUNTIME_DIR= >LANG=en_US.UTF-8 >SHELL=/bin/bash > SourcePackage: gdm3 > UpgradeStatus: No upgrade log present (probably fresh install) > > To manage notifications about this bug go to: > https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1803993/+subscriptions > -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gdm3 in Ubuntu. https://bugs.launchpad.net/bugs/1803993 Title: Password appears on the VT1 screen To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1803993/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
Re: [Bug 1803993] Re: GDM is Exploitable as a Password Collector
Hi Seth, It is: 0.9.3-1ubunt On Mon, Nov 19, 2018 at 10:30 PM Seth Arnold <1803...@bugs.launchpad.net> wrote: > Hello Thomas, can you please report back what version of plymouth you > have installed? > > dpkg -l plymouth | grep ^ii > > Thanks > > ** Information type changed from Private Security to Public Security > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/1803993 > > Title: > GDM is Exploitable as a Password Collector > > Status in gdm3 package in Ubuntu: > New > > Bug description: > This was found when an administrative error made /home directory > inaccessible. Any users that tried to login after that, were not able > to (which is expected) but their password appears on the VT1 screen. > Under normal circumstances, VT1 is not visible. But once the system > was sent into this compromised mode, one can press ctrl+alt+F1 and > then ctrl+alt+F2 and get a momentary glance at VT1. One can keep > toggling between these key combinations in order to make out the > password(s) on VT1. > > As a further test, I wanted to see if a non-super user could cause > this condition, and it is in fact possible. As a regular user, I made > their own home directory not writable and then removed ~/.config and > logged out. Then logged in as that user again, and although that user > can't login the system does go into that mode where passwords appear > on VT1 and are viewable with the key combinations mentioned herein. > Further, any other users that login will see no problem, but when they > logon their passwords also appear on VT1 and are viewable. > > ProblemType: Bug > DistroRelease: Ubuntu 18.04 > Package: gdm3 3.28.3-0ubuntu18.04.3 > Uname: Linux 4.19.2-041902-generic x86_64 > ApportVersion: 2.20.9-0ubuntu7.5 > Architecture: amd64 > CurrentDesktop: ubuntu:GNOME > Date: Mon Nov 19 08:32:59 2018 > InstallationDate: Installed on 2018-08-25 (85 days ago) > InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 > (20180426) > ProcEnviron: >TERM=xterm-256color >PATH=(custom, no user) >XDG_RUNTIME_DIR= >LANG=en_US.UTF-8 >SHELL=/bin/bash > SourcePackage: gdm3 > UpgradeStatus: No upgrade log present (probably fresh install) > > To manage notifications about this bug go to: > https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1803993/+subscriptions > -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gdm3 in Ubuntu. https://bugs.launchpad.net/bugs/1803993 Title: Password appears on the VT1 screen To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1803993/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1767918] Re: Login password from GDM is shown in plain text on the VT1 console
FYI -- I saw a recur of this last week and am opening a bug now. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gdm3 in Ubuntu. https://bugs.launchpad.net/bugs/1767918 Title: Login password from GDM is shown in plain text on the VT1 console To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1767918/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1795140] Re: Gnome Desktop -- After Usermode Application Crashes, Reveals User Passwords by Pressing Ctrl+Alt+F1
*** This bug is a duplicate of bug 1767918 *** https://bugs.launchpad.net/bugs/1767918 Hello Seth & Daniel. I tested after the update and was not able to duplicate the issue. I'd be comfortable closing this out, but don't see an option. FYI -- I removed my screen shot since this was made public, and there is a screen shot to the other ticket if anyone needs to see what it looked like. ** Attachment removed: "screen shot ubuntu issue.png" https://bugs.launchpad.net/ubuntu/+source/gnome-desktop/+bug/1795140/+attachment/5194442/+files/screen%20shot%20ubuntu%20issue.png -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-desktop in Ubuntu. https://bugs.launchpad.net/bugs/1795140 Title: Gnome Desktop -- After Usermode Application Crashes, Reveals User Passwords by Pressing Ctrl+Alt+F1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-desktop/+bug/1795140/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs