*** This bug is a security vulnerability ***
Public security bug reported:
When systemd prompts for a password (for example, using systemctl
without sudo and requiring authentication), it times out if the user
does not type the password fast enough (after about 30 seconds or so).
This results in the password becoming visible on the next prompt from
bash (or whatever shell was being used) as the password is left on
standard input.
Perhaps this package should consume the input when timing out. Not sure if this
is possible, but a security issue.
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: systemd 229-4ubuntu21.2
ProcVersionSignature: Ubuntu 4.4.0-119.143-generic 4.4.114
Uname: Linux 4.4.0-119-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.18
Architecture: amd64
Date: Fri Jul 6 17:31:46 2018
InstallationDate: Installed on 2015-03-06 (1218 days ago)
InstallationMedia: Ubuntu-Server 14.04.2 LTS "Trusty Tahr" - Release amd64
(20150218.1)
MachineType: Dell Inc. PowerEdge R310
ProcEnviron:
TERM=rxvt-unicode-256color
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/bash
ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.4.0-119-generic
root=/dev/mapper/hostname--vg-root ro
SourcePackage: systemd
UpgradeStatus: Upgraded to xenial on 2016-08-26 (679 days ago)
dmi.bios.date: 03/03/2011
dmi.bios.vendor: Dell Inc.
dmi.bios.version: 1.6.4
dmi.board.name: 05XKKK
dmi.board.vendor: Dell Inc.
dmi.board.version: A02
dmi.chassis.type: 23
dmi.chassis.vendor: Dell Inc.
dmi.modalias:
dmi:bvnDellInc.:bvr1.6.4:bd03/03/2011:svnDellInc.:pnPowerEdgeR310:pvr:rvnDellInc.:rn05XKKK:rvrA02:cvnDellInc.:ct23:cvr:
dmi.product.name: PowerEdge R310
dmi.sys.vendor: Dell Inc.
** Affects: systemd (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug third-party-packages xenial
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1780506
Title:
Password visible in systemd password prompt if user types too slow
Status in systemd package in Ubuntu:
New
Bug description:
When systemd prompts for a password (for example, using systemctl
without sudo and requiring authentication), it times out if the user
does not type the password fast enough (after about 30 seconds or so).
This results in the password becoming visible on the next prompt from
bash (or whatever shell was being used) as the password is left on
standard input.
Perhaps this package should consume the input when timing out. Not sure if
this is possible, but a security issue.
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: systemd 229-4ubuntu21.2
ProcVersionSignature: Ubuntu 4.4.0-119.143-generic 4.4.114
Uname: Linux 4.4.0-119-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.18
Architecture: amd64
Date: Fri Jul 6 17:31:46 2018
InstallationDate: Installed on 2015-03-06 (1218 days ago)
InstallationMedia: Ubuntu-Server 14.04.2 LTS "Trusty Tahr" - Release amd64
(20150218.1)
MachineType: Dell Inc. PowerEdge R310
ProcEnviron:
TERM=rxvt-unicode-256color
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/bash
ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.4.0-119-generic
root=/dev/mapper/hostname--vg-root ro
SourcePackage: systemd
UpgradeStatus: Upgraded to xenial on 2016-08-26 (679 days ago)
dmi.bios.date: 03/03/2011
dmi.bios.vendor: Dell Inc.
dmi.bios.version: 1.6.4
dmi.board.name: 05XKKK
dmi.board.vendor: Dell Inc.
dmi.board.version: A02
dmi.chassis.type: 23
dmi.chassis.vendor: Dell Inc.
dmi.modalias:
dmi:bvnDellInc.:bvr1.6.4:bd03/03/2011:svnDellInc.:pnPowerEdgeR310:pvr:rvnDellInc.:rn05XKKK:rvrA02:cvnDellInc.:ct23:cvr:
dmi.product.name: PowerEdge R310
dmi.sys.vendor: Dell Inc.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1780506/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
