Date: Thu, 17 Jan 2013 00:10:26 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Florian Weimer <fw@...eb.enyo.de> Subject: Re: gnome-keyring does not discard stored secrets in some cases -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/16/2013 10:27 PM, Florian Weimer wrote: > * Kurt Seifried: > >>> I've verified that Fedora 17 (GNOME 3.4) does not discard >>> cached keys on suspend and hibernate, either. (Swap is >>> encrypted, though, at least I selected that in the installer.) >>> However, I suspect that users expect that suspend (but perhaps >>> not hibernate) does not discard keys. >> >> Just to confirm, is this behavior documented at all in the gnome >> keyring documentation (e.g. that it does or doesn't do it)? >> Thanks. > > I think the clearest part is > <https://live.gnome.org/GnomeKeyring/SecurityPhilosophy>, which > proclaims: > > | * Try to keep your secrets from being swapped out or otherwise | > written to disk. | * Hunkering down and discarding all secrets when > your computer is | locked. > > The documentation for gnome_keyring_lock_all_sync > <http://developer.gnome.org/gnome-keyring/unstable/gnome-keyring-Keyrings.html#gnome-keyring-lock-all-sync> > > says: > > | Lock all the keyrings, so that their contents may not eb > accessed | without first unlocking them with a password. > > In addition, > <http://developer.gnome.org/gnome-keyring/unstable/gnome-keyring-Non-pageable-Memory.html> > > suggests that locked memory is never written to disk. This is not > true with hibernation. Perfect that's exactly what I needed to know. Please use CVE-2012-6111 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJQ96PiAAoJEBYNRVNeJnmT8EwP/09jnBQcIT3SQwlMGEbc7Y6f VuQvqt1iYvyBRKGnSQu5IJ3LC/JN3cDjKOFROGkS0qUKuF0QD++q+YKU2NSslAJ4 /hh56vu/zHhxo38nxH4qhBJAA6oQy5xKBsPiIOUnhB9xbr8cq2RWOwSC4+UXIrP2 1Fr0lUR8v+cAQ5PbJhl1Bsy/TDmLzpXR4db/4mgZ0o484D+D4mHipIyYqIPIGWoH K97Jg5D20K3T4t2UOAelcbgl0OPEcDhK3YUOI7YPUuynrVN3mF28yZTfwdUX88ZD BXhJfT8AG1gavzZFNZdi8RhpTbV1K+IcB/tpLVlhJdppad6a0A9K+/GEIMu+Rkxb +kcbHaWfl+mavAfkI5WEBjfhbg5JyqgIlh+s3g0mhiiTWq9AUeZwsqYOE5/5orxQ AM9x8K8w/bKqP2O3o+lk0S8xA9ZmGymOhHMW0TgOsotpzeAi/CQn3LL4knRBe55L u3cJakmvro1t7mh9dxhidbpEbl6gByqsat64E9JJUFfJEkRhwawvq6RYcstR+T4X vpZabyoSYzCPMttIwG1xbfdo8zOzTN6Tl018UQxLNcshB8vkF+ETwIAhdrzf7Rlj gb0AVTMpeS2NnUXN1w/2aPPccW1vPFY5EOfB1x5F0Cw56fXtmyFnTBv9824Gf107 GDa1dgzuDeKFVENnrJ/f =y9Rt -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.