Bug 1305770 - libgnome: Enrolling fingerprint requires no password
Summary: libgnome: Enrolling fingerprint requires no password
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1333882
Blocks: 1305771
TreeView+ depends on / blocked
 
Reported: 2016-02-09 08:27 UTC by Adam Mariš
Modified: 2019-09-29 13:44 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2019-06-08 02:48:15 UTC
Embargoed:

Attachments (Terms of Use)

Description Adam Mariš 2016-02-09 08:27:43 UTC 
It was reported that in Gnome 3, it is possible to enroll a new fingerprint for login authentication (which can also be used for sudo in some configurations), without having to enter the owner's password. Attacker can enroll his own fingerprint when the owner leaves their laptop unlocked for a minute, meaning he can also enter the laptop later if its locked.
Comment 3 Adam Mariš 2016-05-06 14:31:37 UTC 
Upstream bug:

https://bugs.freedesktop.org/show_bug.cgi?id=89407

Note that this behavior can be changed in fprintd PolicyKit settings in /usr/share/polkit-1/actions/net.reactivated.fprint.device.policy
Comment 4 Adam Mariš 2016-05-06 14:32:31 UTC 
Created fprintd tracking bugs for this issue:

Affects: fedora-all [bug 1333882]
Comment 7 Adam Mariš 2016-05-09 14:55:55 UTC 
This issue has been reported as far back as 2011:

https://bugzilla.gnome.org/show_bug.cgi?id=651196
Comment 8 Patrick Uiterwijk 2016-08-06 07:53:31 UTC 
Note that the GNOME bug says that the decision is up to the distribution policy, but it seems that the distribution policy for Fedora apparantly does not require authentication.
So for Fedora, this is still a bug.
Note You need to log in before you can comment on or make changes to this bug.