*** This bug is a security vulnerability ***
You have been subscribed to a public security bug by Jamie Strandboge
(jdstrand):
Binary package hint: gstm
gaskpass (the utility within the gstm distribution) does not return non-
zero error code when the user presses cancel.
A user presented with a gaskpass prompt might expect that pressing
cancel would deny access. from x11-ssh-askpass(1x) [note especially
the final sentence]:
> Pressing the ‘OK’ button accepts the pass-phrase (even if it is empty), which
> is printed on the standard output,
> and the dialog exits with a status of zero (success). Pressing the ‘Cancel’
> button discards the pass-phrase,
> and the dialog exits with non-zero status.
The failure to exit with non-zero status is a serious problem, because
dialogs (e.g. the session-multiplexing prompts) that are not really
asking for passwords are confused by having "ok" and "cancel" have the
same behavior. In the session-multiplexing environment, a user's
intention to deny access to the multiplexed session could be ignored and
access granted anyway.
** Affects: gstm (Ubuntu)
Importance: Undecided
Status: New
--
Pressing cancel on gaskpass dialog should return non-zero error.
https://bugs.launchpad.net/bugs/276517
You received this bug notification because you are a member of Ubuntu Bugs,
which is a direct subscriber.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
