*** This bug is a security vulnerability *** Public security bug reported:
When systemd prompts for a password (for example, using systemctl without sudo and requiring authentication), it times out if the user does not type the password fast enough (after about 30 seconds or so). This results in the password becoming visible on the next prompt from bash (or whatever shell was being used) as the password is left on standard input. Perhaps this package should consume the input when timing out. Not sure if this is possible, but a security issue. ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: systemd 229-4ubuntu21.2 ProcVersionSignature: Ubuntu 4.4.0-119.143-generic 4.4.114 Uname: Linux 4.4.0-119-generic x86_64 ApportVersion: 2.20.1-0ubuntu2.18 Architecture: amd64 Date: Fri Jul 6 17:31:46 2018 InstallationDate: Installed on 2015-03-06 (1218 days ago) InstallationMedia: Ubuntu-Server 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1) MachineType: Dell Inc. PowerEdge R310 ProcEnviron: TERM=rxvt-unicode-256color PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=en_US.UTF-8 SHELL=/bin/bash ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.4.0-119-generic root=/dev/mapper/hostname--vg-root ro SourcePackage: systemd UpgradeStatus: Upgraded to xenial on 2016-08-26 (679 days ago) dmi.bios.date: 03/03/2011 dmi.bios.vendor: Dell Inc. dmi.bios.version: 1.6.4 dmi.board.name: 05XKKK dmi.board.vendor: Dell Inc. dmi.board.version: A02 dmi.chassis.type: 23 dmi.chassis.vendor: Dell Inc. dmi.modalias: dmi:bvnDellInc.:bvr1.6.4:bd03/03/2011:svnDellInc.:pnPowerEdgeR310:pvr:rvnDellInc.:rn05XKKK:rvrA02:cvnDellInc.:ct23:cvr: dmi.product.name: PowerEdge R310 dmi.sys.vendor: Dell Inc. ** Affects: systemd (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug third-party-packages xenial ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1780506 Title: Password visible in systemd password prompt if user types too slow Status in systemd package in Ubuntu: New Bug description: When systemd prompts for a password (for example, using systemctl without sudo and requiring authentication), it times out if the user does not type the password fast enough (after about 30 seconds or so). This results in the password becoming visible on the next prompt from bash (or whatever shell was being used) as the password is left on standard input. Perhaps this package should consume the input when timing out. Not sure if this is possible, but a security issue. ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: systemd 229-4ubuntu21.2 ProcVersionSignature: Ubuntu 4.4.0-119.143-generic 4.4.114 Uname: Linux 4.4.0-119-generic x86_64 ApportVersion: 2.20.1-0ubuntu2.18 Architecture: amd64 Date: Fri Jul 6 17:31:46 2018 InstallationDate: Installed on 2015-03-06 (1218 days ago) InstallationMedia: Ubuntu-Server 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1) MachineType: Dell Inc. PowerEdge R310 ProcEnviron: TERM=rxvt-unicode-256color PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=en_US.UTF-8 SHELL=/bin/bash ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.4.0-119-generic root=/dev/mapper/hostname--vg-root ro SourcePackage: systemd UpgradeStatus: Upgraded to xenial on 2016-08-26 (679 days ago) dmi.bios.date: 03/03/2011 dmi.bios.vendor: Dell Inc. dmi.bios.version: 1.6.4 dmi.board.name: 05XKKK dmi.board.vendor: Dell Inc. dmi.board.version: A02 dmi.chassis.type: 23 dmi.chassis.vendor: Dell Inc. dmi.modalias: dmi:bvnDellInc.:bvr1.6.4:bd03/03/2011:svnDellInc.:pnPowerEdgeR310:pvr:rvnDellInc.:rn05XKKK:rvrA02:cvnDellInc.:ct23:cvr: dmi.product.name: PowerEdge R310 dmi.sys.vendor: Dell Inc. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1780506/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp