oss-sec mailing list archives
CVE request for accountsservice local encrypted password disclosure flaw
From: "Vincent Danen" <vdanen () redhat com>
Date: Fri, 15 Aug 2014 07:44:44 -0600
The upstream bug report was opened in 2012, so this probably requires a 2012 CVE. Just cutting-and-pasting from our bug entry: It was reported that accountsservice invokes usermod with the -p parameter when calling SetPassword(), which can leak encrypted passwords locally (being that they are briefly visible via ps). As noted in the upstream bug: The relevant code is in src/user.c in the user_change_password_authorized_cb() function: argv[0] = "/usr/sbin/usermod"; argv[1] = "-p"; argv[2] = strings[0]; argv[3] = "--"; argv[4] = user->user_name; argv[5] = NULL; strings[0] has been set to the crypted password in user_set_password(). The crypted password has been passed from the client (ie: gnome-control-center). This has not yet been corrected upstream. References: https://bugs.freedesktop.org/show_bug.cgi?id=55000 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=757912 https://bugzilla.redhat.com/show_bug.cgi?id=1130538 Thanks. -- Vincent Danen / Red Hat Product Security
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE request for accountsservice local encrypted password disclosure flaw Vincent Danen (Aug 15)
- Re: CVE request for accountsservice local encrypted password disclosure flaw cve-assign (Aug 16)