Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 15 Aug 2014 07:44:44 -0600
From: "Vincent Danen" <vdanen@...hat.com>
To: "OSS Security List" <oss-security@...ts.openwall.com>
Subject: CVE request for accountsservice local encrypted password disclosure
 flaw

The upstream bug report was opened in 2012, so this probably requires a 2012 CVE.

Just cutting-and-pasting from our bug entry:

It was reported that accountsservice invokes usermod with the -p parameter when calling SetPassword(), which can leak encrypted passwords locally (being that they are briefly visible via ps).

As noted in the upstream bug:

The relevant code is in src/user.c in the user_change_password_authorized_cb() function:

        argv[0] = "/usr/sbin/usermod";
        argv[1] = "-p";
        argv[2] = strings[0];
        argv[3] = "--";
        argv[4] = user->user_name;
        argv[5] = NULL;

strings[0] has been set to the crypted password in user_set_password(). The crypted password has been passed from the client (ie: gnome-control-center).

This has not yet been corrected upstream.

References:

https://bugs.freedesktop.org/show_bug.cgi?id=55000
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=757912
https://bugzilla.redhat.com/show_bug.cgi?id=1130538


Thanks.

-- 
Vincent Danen / Red Hat Product Security

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ