Date: Fri, 15 Aug 2014 07:44:44 -0600 From: "Vincent Danen" <vdanen@...hat.com> To: "OSS Security List" <oss-security@...ts.openwall.com> Subject: CVE request for accountsservice local encrypted password disclosure flaw The upstream bug report was opened in 2012, so this probably requires a 2012 CVE. Just cutting-and-pasting from our bug entry: It was reported that accountsservice invokes usermod with the -p parameter when calling SetPassword(), which can leak encrypted passwords locally (being that they are briefly visible via ps). As noted in the upstream bug: The relevant code is in src/user.c in the user_change_password_authorized_cb() function: argv = "/usr/sbin/usermod"; argv = "-p"; argv = strings; argv = "--"; argv = user->user_name; argv = NULL; strings has been set to the crypted password in user_set_password(). The crypted password has been passed from the client (ie: gnome-control-center). This has not yet been corrected upstream. References: https://bugs.freedesktop.org/show_bug.cgi?id=55000 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=757912 https://bugzilla.redhat.com/show_bug.cgi?id=1130538 Thanks. -- Vincent Danen / Red Hat Product Security [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ