Bug 1652194 (CVE-2018-19358)
| Summary: | CVE-2018-19358 gnome-keyring: login credentials retrieval via a Secret Service API call | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Laura Pardo <lpardo> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | debarshir, dking, john.j5live, mclasen, rstrode, sandmann, stefw, walters |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-12-10 13:54:22 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1652195 | ||
| Bug Blocks: | 1652200 | ||
|
Description
Laura Pardo
2018-11-21 16:30:37 UTC
Created gnome-keyring tracking bugs for this issue: Affects: fedora-all [bug 1652195] Sorry, this is an invalid bug. There's no difference between this and a scp command that uploads your GPG and SSH private keys or any private file from the disk somewhere across the Internet. Issues like this are mitigated by encapsulating untrusted applications in Flatpaks. Except that SSH/GPG keys should be passphrase-protected so even if you upload the files somewhere, your secrets are still safe. Except "should be" isn't the same as "are always", and there's no reason why my personal photo collection or my bank statements aren't as senstive as my SSH/GPG keys or random passwords on random websites. And don't even get me started about the possibility that any process can hold me hostage by threatening to 'rm -rf' my whole $HOME directory. And no, this gnome-keyring libsecret issue isn't the only example of such a thing. This CVE is a joke. It's not like somebody has found something hitherto unknown. Far from it. These issues have been known and understood for years. You are very unlikely to get a single patch that fixes it. The solution, as I said so before, is to migrate applications to Flatpaks with portals acting as well-defined user-controlled gateways to accessing hardware peripherals, files, etc.. agreed this is not a security problem. see my analysis on https://gitlab.gnome.org/GNOME/gnome-keyring/issues/5 I think this is still a security issue. Not an easy one, nor one where there's a single patch that can fix everything, but it's a design issue and somehow it should be solved in the future. However, we can dispute this particular CVE for the reasons mentioned by both of you, debarshir and rstrode. Mainly because a malicious app can already do all sorts of things. Marking this flaw as NOTABUG because that is not an issue in gnome-keyring itself, but a design problem in the Linux desktop. There is no current way (except using Flatpak, sandbox, containers, etc.) to separate user applications from each other, so a malicious application could look at all your files, remove them, attach to other user processes to inspect their memory, etc. D-Bus protection mechanisms are not an option because applications could identify themselves as different applications with various mechanisms. More references: https://bugzilla.redhat.com/show_bug.cgi?id=1652194#c4 https://gitlab.gnome.org/GNOME/gnome-keyring/issues/5 Statement: Red Hat Product Security determined that this flaw was not a security vulnerability. See the Bugzilla link for more details. |