FS#37930 : [gdm] reveals user's password

FS#37930 - [gdm] reveals user's password

Attached to Project: Arch Linux
Opened by Peter Weber (hoschi) - Wednesday, 27 November 2013, 10:05 GMT
Last edited by Jan de Groot (JGC) - Wednesday, 04 December 2013, 20:14 GMT

Task Type	Bug Report
Category	Upstream Bugs
Status	Closed
Assigned To	Jan de Groot (JGC)
Architecture	All
Severity	High
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	2 John (graysky) (2013-11-27) Peter Weber (hoschi) (2013-11-27)
Private	No

Details

Description:
It is possible to see the password of a logged in user, while switching between users and locking the screen. Fedora marked this bug as blocker for the release of Fedora 20 and patch is available.

Additional info:
* package version(s): 3.10.0.1-1
* config and/or log files etc.: none
* source: https://bugzilla.redhat.com/show_bug.cgi?id=1034031

Steps to reproduce (seem the simplest way to trigger):
1.Log in as 'user01'
2. Switch user to 'user02'
3. Switch user to 'user01'
4. Lock screen of user 'user01'
5. From the unlock dialog, hit "Log in as a different user"
6. Right click on password field -> Show password!

While the bugfix isn't available from upstream itself, we should apply a fix as fast as possible. This draws a bad light on the quality of GNOME/GDM. Furthermore we have to ask why the password itself is stored in mainmemory for more time than scrictly needed?

This task depends upon

Closed by Jan de Groot (JGC)
Wednesday, 04 December 2013, 20:14 GMT
Reason for closing: Fixed

Comment by Peter Weber (hoschi) - Wednesday, 27 November 2013, 10:53 GMT

I want attach the single patch here, but it seems weird.

http://koji.fedoraproject.org/koji/rpminfo?rpmID=4628417
-> 0001-authPrompt-propagate-gdm-reset-signal-after-user-swi.patch

Tried already:
-> Download and extract source-rpm -> patch not included, seem to be applied already inside source
-> Download from website -> nothing
-> Download from any git -> nothing

Is it me or does Fedora makes this as hard as possible?

Comment by John (graysky) - Wednesday, 27 November 2013, 11:18 GMT

Just d/l the the src.rpm to extract the patches.[1] Should this bug be against gnome-shell rather than xscreensaver? The patch you propose is for the former, no?

1. http://koji.fedoraproject.org/koji/buildinfo?buildID=480817

0001-authPrompt-propagate-gdm... (3.6 KiB)

Comment by Peter Weber (hoschi) - Wednesday, 27 November 2013, 12:27 GMT

Thank you John! I've extracted the src-rpm and overseen it :-)
The patched file "js/gdm/authPrompt.js" resides within the package gnome-shell. The package xscreensaver is not involved (and nowadays not installed within a GNOME-Environment).

Comment by Ionut Biru (wonder) - Wednesday, 27 November 2013, 12:37 GMT

i prefer to see this committed upstream.
do they know about this?

Comment by Peter Weber (hoschi) - Wednesday, 27 November 2013, 15:01 GMT

I don't know but asked in the meanwhile on the redhat-bugzilla for it. I know our own package-policy to prefer only upstream-patches, but we shouldn't wait longer than needed. Honestly - five minutes ago in the past - would be a apropriate time-limit.

// update
I reported this on my own to upstream:
https://bugzilla.gnome.org/show_bug.cgi?id=719427

Comment by Peter Weber (hoschi) - Wednesday, 27 November 2013, 20:57 GMT

Upstream bug with fix:
https://bugzilla.gnome.org/show_bug.cgi?id=710456

Comment by Peter Weber (hoschi) - Friday, 29 November 2013, 09:38 GMT

fix applied on trunk:
https://git.gnome.org/browse/gnome-shell/commit/js/gdm/authPrompt.js?id=b2f547e93452cb2d406263cd9bb8743760c28683

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#37930 - [gdm] reveals user's password

Details

Loading...