Bug 845426 (CVE-2012-3466) - CVE-2012-3466 gnome-keyring: improper caching of passwords/passphrase
Summary: CVE-2012-3466 gnome-keyring: improper caching of passwords/passphrase
Status: CLOSED ERRATA
Alias: CVE-2012-3466
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20120802,reported=2...
Keywords: Security
Depends On: 846904
Blocks: 845428
TreeView+ depends on / blocked
 
Reported: 2012-08-03 04:39 UTC by Kurt Seifried
Modified: 2012-08-21 07:05 UTC (History)
3 users (show)

Fixed In Version: gnome-keyring-3.4.1-3.fc17
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-08-21 07:04:19 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
GNOME Bugzilla 681081 None None None 2012-08-07 04:38:10 UTC
Debian BTS 683655 None None None 2012-08-07 04:37:50 UTC

Description Kurt Seifried 2012-08-03 04:39:52 UTC
Julien Cristau <jcristau@debian.org> reports:

Package: gnome-keyring
Version: 3.4.1-4
Severity: grave
Tags: security
Justification: user security hole

At some point gnome-keyring seemed to obey the configuration asking it
to stop caching passphrases after a while.  It no longer does.

$ gsettings list-recursively org.gnome.crypto.cache
org.gnome.crypto.cache gpg-cache-authorize false
org.gnome.crypto.cache gpg-cache-method 'idle'
org.gnome.crypto.cache gpg-cache-ttl 600

Yet I'm never asked for the passphrase again.

Cheers,
Julien

Comment 1 Kurt Seifried 2012-08-03 05:14:44 UTC
I have tested this on Fedora 17, trying "idle", "timeout" and "session" int he org.gnome.crypto.cache gpg-cache-method value. The "idle" and "timeout" values do not appear to work as they should, after the timeout I was able to use GPG without entering my password. To test:

gsettings set org.gnome.crypto.cache gpg-cache-method 'idle'
gsettings set org.gnome.crypto.cache gpg-cache-ttl 60

then use gpg/gpg2 to sign something, you should be prompted for your gpg password. Then leave it idle, the session should timeout after 60 seconds. Try signing something again, you are not prompted for the password.

Comment 4 Huzaifa S. Sidhpurwala 2012-08-09 05:11:27 UTC
Upstream patches available at:
https://bugzilla.gnome.org/show_bug.cgi?id=681081#c14

Comment 5 Huzaifa S. Sidhpurwala 2012-08-09 05:23:12 UTC
Created gnome-keyring tracking bugs for this issue

Affects: fedora-all [bug 846904]

Comment 7 Huzaifa S. Sidhpurwala 2012-08-21 07:05:05 UTC
Statement:

Not Vulnerable. This issue does not affect the version of gnome-keyring as shipped with Red Hat Enterprise Linux 5 and 6.


Note You need to log in before you can comment on or make changes to this bug.