gnome-keyring Fwd: Re: Debug output in 2.30
- From: Stef Walter <stefw gnome org>
- To: "gnome-keyring-list gnome org" <gnome-keyring-list gnome org>
- Subject: gnome-keyring Fwd: Re: Debug output in 2.30
- Date: Fri, 08 Oct 2010 10:43:59 -0500
FYI all, there was some info leakage in logs in gnome-keyring 2.30. No
passwords, but some other bits of information. Thanks Romain Francoise
for discovering the bungle.
-------- Original Message --------
Subject: Re: Debug output in gnome-keyring 2.30
Date: Tue, 05 Oct 2010 19:25:57 +0200
From: Josselin Mouette <joss debian org>
To: Stef Walter <stefw gnome org>
CC: Romain Francoise <rfrancoise debian org>
Le mardi 05 octobre 2010 à 11:08 -0500, Stef Walter a écrit :
> I'll add some guards around the DEBUG_PROMPT stuff so that it can only
> be enabled with --enable-debug also enabled:
Great, thanks.
> > I’m trying to understand the security impact of this issue. As far as we
> > understand, the key used to encrypt the passphrase before passing it to
> > the daemon is not leaked. Could you confirm that?
>
> Yes, that's the case. We use DH key exchange and encryption when
> communicating passwords between processes for exactly this reason, to
> prevent other processes from snooping on the dialog, or accidental
> leakages in logs, caches, swap memory etc.
OK, so this is really only a matter of having key names and times of
unlocking in the logs, but not keys themselves.
Thanks for the explanations. I’ll upload a fix without a security
advisory, then. You might want to inform other distributions that ship
2.30 (Fedora and Ubuntu come to mind).
Cheers,
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
