Bug 1693356
Summary: | fprintd: stores user fingerprints as image files without encryption | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Laura Pardo <lpardo> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | bnocera, sungjungk |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-04-09 05:54:03 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1693357 | ||
Bug Blocks: | 1693359 |
Description
Laura Pardo
2019-03-27 16:02:38 UTC
Created fprintd tracking bugs for this issue: Affects: fedora-all [bug 1693357] Acknowledgments: Name: Seong-Joong Kim The fprintf daemon in Red Hat Enterprise Linux is contained by the default installed selinux policy. This prevents other applications (which dont need access to fingerprint data) from accessing this fingerprint data and therefore ensures a good level of security for the same. Also as per upstream: https://gitlab.freedesktop.org/libfprint/fprintd/issues/16#note_141207 such an LSM based security system should be enough to safeguard this data. And there is no short term plan for any other implementation. Based on above, Red Hat Product Security does not believe this to be a security flaw. I don’t think it would be as good. Particularly, desktop users usually disable or change it to permissive mode in SELinux. Instead, how about trying to add user authentication while attempting to access the fingerprint data? It would be possible to apply it since the fingerprint data is separately located in different path (e.g., /var/lib/username/device-id/XXX). Under such a scenario, I think it is not justifiable to shift protection responsibility to OS entirely. Instead, we need to devise a data encryption/protection scheme at least. This issue can be even more important than password exposure in cleartext. Because once fingerprint has been leaked, victims are leaked for the rest of life since it lasts for a life. What do you think of it? |