Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#37930 - [gdm] reveals user's password

Attached to Project: Arch Linux
Opened by Peter Weber (hoschi) - Wednesday, 27 November 2013, 10:05 GMT
Last edited by Jan de Groot (JGC) - Wednesday, 04 December 2013, 20:14 GMT
Task Type Bug Report
Category Upstream Bugs
Status Closed
Assigned To Jan de Groot (JGC)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No


It is possible to see the password of a logged in user, while switching between users and locking the screen. Fedora marked this bug as blocker for the release of Fedora 20 and patch is available.

Additional info:
* package version(s):
* config and/or log files etc.: none
* source:

Steps to reproduce (seem the simplest way to trigger):
1.Log in as 'user01'
2. Switch user to 'user02'
3. Switch user to 'user01'
4. Lock screen of user 'user01'
5. From the unlock dialog, hit "Log in as a different user"
6. Right click on password field -> Show password!

While the bugfix isn't available from upstream itself, we should apply a fix as fast as possible. This draws a bad light on the quality of GNOME/GDM. Furthermore we have to ask why the password itself is stored in mainmemory for more time than scrictly needed?
This task depends upon

Closed by  Jan de Groot (JGC)
Wednesday, 04 December 2013, 20:14 GMT
Reason for closing:  Fixed
Comment by Peter Weber (hoschi) - Wednesday, 27 November 2013, 10:53 GMT
I want attach the single patch here, but it seems weird.
-> 0001-authPrompt-propagate-gdm-reset-signal-after-user-swi.patch

Tried already:
-> Download and extract source-rpm -> patch not included, seem to be applied already inside source
-> Download from website -> nothing
-> Download from any git -> nothing

Is it me or does Fedora makes this as hard as possible?
Comment by John (graysky) - Wednesday, 27 November 2013, 11:18 GMT
Just d/l the the src.rpm to extract the patches.[1] Should this bug be against gnome-shell rather than xscreensaver? The patch you propose is for the former, no?

Comment by Peter Weber (hoschi) - Wednesday, 27 November 2013, 12:27 GMT
Thank you John! I've extracted the src-rpm and overseen it :-)
The patched file "js/gdm/authPrompt.js" resides within the package gnome-shell. The package xscreensaver is not involved (and nowadays not installed within a GNOME-Environment).
Comment by Ionut Biru (wonder) - Wednesday, 27 November 2013, 12:37 GMT
i prefer to see this committed upstream.
do they know about this?
Comment by Peter Weber (hoschi) - Wednesday, 27 November 2013, 15:01 GMT
I don't know but asked in the meanwhile on the redhat-bugzilla for it. I know our own package-policy to prefer only upstream-patches, but we shouldn't wait longer than needed. Honestly - five minutes ago in the past - would be a apropriate time-limit.

// update
I reported this on my own to upstream:
Comment by Peter Weber (hoschi) - Wednesday, 27 November 2013, 20:57 GMT Comment by Peter Weber (hoschi) - Friday, 29 November 2013, 09:38 GMT