Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 17 Jan 2013 00:10:26 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Florian Weimer <fw@...eb.enyo.de>
Subject: Re: gnome-keyring does not discard stored secrets
 in some cases

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/16/2013 10:27 PM, Florian Weimer wrote:
> * Kurt Seifried:
> 
>>> I've verified that Fedora 17 (GNOME 3.4) does not discard
>>> cached keys on suspend and hibernate, either.  (Swap is
>>> encrypted, though, at least I selected that in the installer.)
>>> However, I suspect that users expect that suspend (but perhaps
>>> not hibernate) does not discard keys.
>> 
>> Just to confirm, is this behavior documented at all in the gnome 
>> keyring documentation (e.g. that it does or doesn't do it)?
>> Thanks.
> 
> I think the clearest part is 
> <https://live.gnome.org/GnomeKeyring/SecurityPhilosophy>, which 
> proclaims:
> 
> | * Try to keep your secrets from being swapped out or otherwise |
> written to disk. | * Hunkering down and discarding all secrets when
> your computer is |   locked.
> 
> The documentation for gnome_keyring_lock_all_sync 
> <http://developer.gnome.org/gnome-keyring/unstable/gnome-keyring-Keyrings.html#gnome-keyring-lock-all-sync>
>
> 
says:
> 
> | Lock all the keyrings, so that their contents may not eb
> accessed | without first unlocking them with a password.
> 
> In addition, 
> <http://developer.gnome.org/gnome-keyring/unstable/gnome-keyring-Non-pageable-Memory.html>
>
> 
suggests that locked memory is never written to disk.  This is not
> true with hibernation.

Perfect that's exactly what I needed to know. Please use CVE-2012-6111
for this issue.



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQ96PiAAoJEBYNRVNeJnmT8EwP/09jnBQcIT3SQwlMGEbc7Y6f
VuQvqt1iYvyBRKGnSQu5IJ3LC/JN3cDjKOFROGkS0qUKuF0QD++q+YKU2NSslAJ4
/hh56vu/zHhxo38nxH4qhBJAA6oQy5xKBsPiIOUnhB9xbr8cq2RWOwSC4+UXIrP2
1Fr0lUR8v+cAQ5PbJhl1Bsy/TDmLzpXR4db/4mgZ0o484D+D4mHipIyYqIPIGWoH
K97Jg5D20K3T4t2UOAelcbgl0OPEcDhK3YUOI7YPUuynrVN3mF28yZTfwdUX88ZD
BXhJfT8AG1gavzZFNZdi8RhpTbV1K+IcB/tpLVlhJdppad6a0A9K+/GEIMu+Rkxb
+kcbHaWfl+mavAfkI5WEBjfhbg5JyqgIlh+s3g0mhiiTWq9AUeZwsqYOE5/5orxQ
AM9x8K8w/bKqP2O3o+lk0S8xA9ZmGymOhHMW0TgOsotpzeAi/CQn3LL4knRBe55L
u3cJakmvro1t7mh9dxhidbpEbl6gByqsat64E9JJUFfJEkRhwawvq6RYcstR+T4X
vpZabyoSYzCPMttIwG1xbfdo8zOzTN6Tl018UQxLNcshB8vkF+ETwIAhdrzf7Rlj
gb0AVTMpeS2NnUXN1w/2aPPccW1vPFY5EOfB1x5F0Cw56fXtmyFnTBv9824Gf107
GDa1dgzuDeKFVENnrJ/f
=y9Rt
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.