*** This bug is a security vulnerability ***
Public security bug reported:
Binary package hint: gnome-keyring
In previous versions of Ubuntu, gnome-keyring enforced permissions on
secrets on an application level. When network-manager stored a secret in
the keyring, read/write/delete permissions would be assigned to network-
manager. If a different application tried to access a secret that
doesn't belong to it, the user would get a visual prompt to indicate
something is amiss, and would need to confirm the access rights. These
access rights would be displayed in the "Applications" tab of seahorse.
See the attached screenshots.
In Lucid, permissions do not work, and are not enforced. Any application
can access secrets not belonging to it without the user's knowledge. The
"Applications" tab of seahorse is completely empty.
This is a severe security regression.
ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: gnome-keyring 2.92.92.is.2.30.0-0ubuntu2
ProcVersionSignature: Ubuntu 2.6.32-21.32-generic 2.6.32.11+drm33.2
Uname: Linux 2.6.32-21-generic x86_64
Architecture: amd64
Date: Wed Apr 21 09:09:24 2010
EcryptfsInUse: Yes
ProcEnviron:
PATH=(custom, user)
LANG=en_CA.utf8
SHELL=/bin/bash
SourcePackage: gnome-keyring
** Affects: gnome-keyring (Ubuntu)
Importance: Undecided
Status: New
** Affects: gnome-keyring (Ubuntu Lucid)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug lucid regression-potential
--
gnome-keyring no longer enforces application permissions
https://bugs.launchpad.net/bugs/567879
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
