*** This bug is a security vulnerability *** Public security bug reported:
Binary package hint: gnome-keyring In previous versions of Ubuntu, gnome-keyring enforced permissions on secrets on an application level. When network-manager stored a secret in the keyring, read/write/delete permissions would be assigned to network- manager. If a different application tried to access a secret that doesn't belong to it, the user would get a visual prompt to indicate something is amiss, and would need to confirm the access rights. These access rights would be displayed in the "Applications" tab of seahorse. See the attached screenshots. In Lucid, permissions do not work, and are not enforced. Any application can access secrets not belonging to it without the user's knowledge. The "Applications" tab of seahorse is completely empty. This is a severe security regression. ProblemType: Bug DistroRelease: Ubuntu 10.04 Package: gnome-keyring 2.92.92.is.2.30.0-0ubuntu2 ProcVersionSignature: Ubuntu 2.6.32-21.32-generic 2.6.32.11+drm33.2 Uname: Linux 2.6.32-21-generic x86_64 Architecture: amd64 Date: Wed Apr 21 09:09:24 2010 EcryptfsInUse: Yes ProcEnviron: PATH=(custom, user) LANG=en_CA.utf8 SHELL=/bin/bash SourcePackage: gnome-keyring ** Affects: gnome-keyring (Ubuntu) Importance: Undecided Status: New ** Affects: gnome-keyring (Ubuntu Lucid) Importance: Undecided Status: New ** Tags: amd64 apport-bug lucid regression-potential -- gnome-keyring no longer enforces application permissions https://bugs.launchpad.net/bugs/567879 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs