Bug 845426 (CVE-2012-3466)
Summary: | CVE-2012-3466 gnome-keyring: improper caching of passwords/passphrase | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Kurt Seifried <kseifried> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | debarshir, tbzatek, walters |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | gnome-keyring-3.4.1-3.fc17 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-08-21 07:04:19 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 846904 | ||
Bug Blocks: | 845428 |
Description
Kurt Seifried
2012-08-03 04:39:52 UTC
I have tested this on Fedora 17, trying "idle", "timeout" and "session" int he org.gnome.crypto.cache gpg-cache-method value. The "idle" and "timeout" values do not appear to work as they should, after the timeout I was able to use GPG without entering my password. To test: gsettings set org.gnome.crypto.cache gpg-cache-method 'idle' gsettings set org.gnome.crypto.cache gpg-cache-ttl 60 then use gpg/gpg2 to sign something, you should be prompted for your gpg password. Then leave it idle, the session should timeout after 60 seconds. Try signing something again, you are not prompted for the password. Upstream patches available at: https://bugzilla.gnome.org/show_bug.cgi?id=681081#c14 Created gnome-keyring tracking bugs for this issue Affects: fedora-all [bug 846904] Statement: Not Vulnerable. This issue does not affect the version of gnome-keyring as shipped with Red Hat Enterprise Linux 5 and 6. |