CVE request for accountsservice local encrypted password disclosure flaw

["Vincent Danen" <vdanen () redhat com>]

The upstream bug report was opened in 2012, so this probably requires a 2012 CVE.

Just cutting-and-pasting from our bug entry:

It was reported that accountsservice invokes usermod with the -p parameter when calling SetPassword(), which can leak 
encrypted passwords locally (being that they are briefly visible via ps).

As noted in the upstream bug:

The relevant code is in src/user.c in the user_change_password_authorized_cb() function:

        argv[0] = "/usr/sbin/usermod";
        argv[1] = "-p";
        argv[2] = strings[0];
        argv[3] = "--";
        argv[4] = user->user_name;
        argv[5] = NULL;

strings[0] has been set to the crypted password in user_set_password(). The crypted password has been passed from the 
client (ie: gnome-control-center).

This has not yet been corrected upstream.

References:

https://bugs.freedesktop.org/show_bug.cgi?id=55000
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=757912
https://bugzilla.redhat.com/show_bug.cgi?id=1130538


Thanks.

-- 
Vincent Danen / Red Hat Product Security

Attachment: signature.asc
Description: OpenPGP digital signature