[Bug 1822590] Re: Found storing user fingerprints without encryption
** Changed in: fprintd Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1822590 Title: Found storing user fingerprints without encryption To manage notifications about this bug go to: https://bugs.launchpad.net/fprintd/+bug/1822590/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1822590] Re: Found storing user fingerprints without encryption
** Changed in: debian Status: Unknown => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1822590 Title: Found storing user fingerprints without encryption To manage notifications about this bug go to: https://bugs.launchpad.net/fprintd/+bug/1822590/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1822590] Re: Found storing user fingerprints without encryption
I'll include as a comment my reply to an email from the reporter: Hello, Note that the Ubuntu security team considers fingerprints to be akin to usernames, rather than passwords. They cannot be changed, they are left on thousands of objects daily, and repeated demonstrations of sensors being 'fooled' by artificial constructions from photographs etc basically mean fingerprints are not worth much as authentication tokens. In the Main Inclusion Request review for fprintd and libfprint, we included: It's important to note that security team considers fingerprints to be akin to usernames and not passwords. Any potential issues with this tool will be treated with this threat model in mind. -- https://bugs.launchpad.net/ubuntu/+source/fprintd/+bug/1745455 Under this threat model, disclosure of a fingerprint is not a vulnerability. Perhaps the fprintd or libfprintd authors will see things differently, but I suspect most security practitioners have decided that fingerprints are identifiers, not authenticators. Thanks ** Changed in: apparmor (Ubuntu) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1822590 Title: Found storing user fingerprints without encryption To manage notifications about this bug go to: https://bugs.launchpad.net/fprintd/+bug/1822590/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1822590] Re: Found storing user fingerprints without encryption
Incidentally, there's nothing for the AppArmor project to do here -- any confined program will include or not include the fingerprint data as specified in the profile. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1822590 Title: Found storing user fingerprints without encryption To manage notifications about this bug go to: https://bugs.launchpad.net/fprintd/+bug/1822590/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1822590] Re: Found storing user fingerprints without encryption
** Bug watch added: Debian Bug tracker #926749 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926749 ** Also affects: apparmor (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926749 Importance: Unknown Status: Unknown ** No longer affects: apparmor (Debian) ** Also affects: debian via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926749 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1822590 Title: Found storing user fingerprints without encryption To manage notifications about this bug go to: https://bugs.launchpad.net/fprintd/+bug/1822590/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1822590] Re: Found storing user fingerprints without encryption
In Ubuntu, that would be good. Btw, I would like to request escalate importance. I think that this issue can be even more important than password exposure in cleartext. Once fingerprint has been leaked, victims are leaked for the rest of life since it lasts for a life. Then, it severely affects applications beyond the package responsible for the root cause. What do you think of it? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1822590 Title: Found storing user fingerprints without encryption To manage notifications about this bug go to: https://bugs.launchpad.net/fprintd/+bug/1822590/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1822590] Re: Found storing user fingerprints without encryption
** Changed in: fprintd Status: Unknown => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1822590 Title: Found storing user fingerprints without encryption To manage notifications about this bug go to: https://bugs.launchpad.net/fprintd/+bug/1822590/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1822590] Re: Found storing user fingerprints without encryption
It would probably be useful for Ubuntu to have an apparmor profile there ** Changed in: fprintd (Ubuntu) Importance: Undecided => Low ** Changed in: fprintd (Ubuntu) Status: New => Triaged ** Also affects: fprintd via https://gitlab.freedesktop.org/libfprint/fprintd/issues/16 Importance: Unknown Status: Unknown ** Also affects: apparmor (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1822590 Title: Found storing user fingerprints without encryption To manage notifications about this bug go to: https://bugs.launchpad.net/fprintd/+bug/1822590/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1822590] Re: Found storing user fingerprints without encryption
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1822590 Title: Found storing user fingerprints without encryption To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/fprintd/+bug/1822590/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs