Debian Bug report logs - #683655
gnome-keyring: gpg passphrase cached forever

version graph

Package: gnome-keyring; Maintainer for gnome-keyring is Josselin Mouette <joss@debian.org>; Source for gnome-keyring is src:gnome-keyring.

Reported by: Julien Cristau <jcristau@debian.org>

Date: Thu, 2 Aug 2012 14:51:01 UTC

Severity: grave

Tags: fixed-upstream, security

Found in version gnome-keyring/3.4.1-4

Fixed in version gnome-keyring/3.4.1-5

Done: Laurent Bigonville <bigon@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://bugzilla.gnome.org/show_bug.cgi?id=681081

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Josselin Mouette <joss@debian.org>:
Bug#683655; Package gnome-keyring. (Thu, 02 Aug 2012 14:51:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Josselin Mouette <joss@debian.org>. (Thu, 02 Aug 2012 14:51:03 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: gnome-keyring: gpg passphrase cached forever
Date: Thu, 2 Aug 2012 16:47:23 +0200
[Message part 1 (text/plain, inline)]
Package: gnome-keyring
Version: 3.4.1-4
Severity: grave
Tags: security
Justification: user security hole

At some point gnome-keyring seemed to obey the configuration asking it
to stop caching passphrases after a while.  It no longer does.

$ gsettings list-recursively org.gnome.crypto.cache
org.gnome.crypto.cache gpg-cache-authorize false
org.gnome.crypto.cache gpg-cache-method 'idle'
org.gnome.crypto.cache gpg-cache-ttl 600

Yet I'm never asked for the passphrase again.

Cheers,
Julien

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'unstable'), (500, 'stable'), (101, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages gnome-keyring depends on:
ii  dbus-x11                                     1.6.2-2
ii  dconf-gsettings-backend [gsettings-backend]  0.12.1-2
ii  gcr                                          3.4.1-3
ii  libc6                                        2.13-35
ii  libcap-ng0                                   0.6.6-2
ii  libcap2-bin                                  1:2.22-1.1
ii  libdbus-1-3                                  1.6.2-2
ii  libgck-1-0                                   3.4.1-3
ii  libgcr-3-1                                   3.4.1-3
ii  libgcrypt11                                  1.5.0-3
ii  libglib2.0-0                                 2.32.3-1
ii  libgtk-3-0                                   3.4.2-2

Versions of packages gnome-keyring recommends:
ii  libpam-gnome-keyring  3.4.1-4

gnome-keyring suggests no packages.

-- no debconf information
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Josselin Mouette <joss@debian.org>:
Bug#683655; Package gnome-keyring. (Thu, 02 Aug 2012 15:12:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Roland Mas <lolando@debian.org>:
Extra info received and forwarded to list. Copy sent to Josselin Mouette <joss@debian.org>. (Thu, 02 Aug 2012 15:12:02 GMT) Full text and rfc822 format available.

Message #10 received at 683655@bugs.debian.org (full text, mbox):

From: Roland Mas <lolando@debian.org>
To: 683655@bugs.debian.org
Subject: #683655: Me too (different settings)
Date: Thu, 02 Aug 2012 17:08:39 +0200
Slightly different settings, but similar behaviour here:

$ gsettings list-recursively org.gnome.crypto.cache
org.gnome.crypto.cache gpg-cache-authorize false
org.gnome.crypto.cache gpg-cache-method 'timeout'
org.gnome.crypto.cache gpg-cache-ttl 60

Roland.
-- 
Roland Mas

Despite rumour, Death isn't cruel - merely terribly, terribly good at his job.
  -- in Sourcery (Terry Pratchett)



Set Bug forwarded-to-address to 'https://bugzilla.gnome.org/show_bug.cgi?id=681081'. Request was from Laurent Bigonville <bigon@debian.org> to control@bugs.debian.org. (Thu, 02 Aug 2012 15:57:05 GMT) Full text and rfc822 format available.

Added tag(s) fixed-upstream. Request was from bts-link-upstream@lists.alioth.debian.org to control@bugs.debian.org. (Fri, 10 Aug 2012 09:51:24 GMT) Full text and rfc822 format available.

Reply sent to Laurent Bigonville <bigon@debian.org>:
You have taken responsibility. (Sun, 19 Aug 2012 21:06:11 GMT) Full text and rfc822 format available.

Notification sent to Julien Cristau <jcristau@debian.org>:
Bug acknowledged by developer. (Sun, 19 Aug 2012 21:06:11 GMT) Full text and rfc822 format available.

Message #19 received at 683655-close@bugs.debian.org (full text, mbox):

From: Laurent Bigonville <bigon@debian.org>
To: 683655-close@bugs.debian.org
Subject: Bug#683655: fixed in gnome-keyring 3.4.1-5
Date: Sun, 19 Aug 2012 21:03:02 +0000
Source: gnome-keyring
Source-Version: 3.4.1-5

We believe that the bug you reported is fixed in the latest version of
gnome-keyring, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 683655@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laurent Bigonville <bigon@debian.org> (supplier of updated gnome-keyring package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 19 Aug 2012 22:01:53 +0200
Source: gnome-keyring
Binary: gnome-keyring libpam-gnome-keyring
Architecture: source amd64
Version: 3.4.1-5
Distribution: unstable
Urgency: low
Maintainer: Josselin Mouette <joss@debian.org>
Changed-By: Laurent Bigonville <bigon@debian.org>
Description: 
 gnome-keyring - GNOME keyring services (daemon and tools)
 libpam-gnome-keyring - PAM module to unlock the GNOME keyring upon login
Closes: 683655
Changes: 
 gnome-keyring (3.4.1-5) unstable; urgency=low
 .
   * d/p/0001-schema-Update-description-for-gpg-cache-method.patch,
     d/p/0002-gpg-agent-Hook-up-the-TTL-cache-option.patch,
     d/p/0003-secret-store-Mark-a-secret-item-as-used-when-accesse.patch:
     Properly expire caching of the GPG passphrases (Taken from upstream)
     (Closes: #683655, CVE-2012-3466)
Checksums-Sha1: 
 e1764fb4c9685d5f5591e014ef8c65e33c29d706 2316 gnome-keyring_3.4.1-5.dsc
 0b7a75cc0949fe5968fb3f10d9e5e6fc5c73dcd0 18183 gnome-keyring_3.4.1-5.debian.tar.gz
 79b6e0ca8456f28f049e7a46a3ee2a384966fe97 935506 gnome-keyring_3.4.1-5_amd64.deb
 919660dd51bc36f6d85878ea57131f8ded50c8f6 251224 libpam-gnome-keyring_3.4.1-5_amd64.deb
Checksums-Sha256: 
 aee4370f0e26074ba9f79fd7d01f845409fc4b60ec8f7822b9b658bb3b388c3c 2316 gnome-keyring_3.4.1-5.dsc
 ee2986fc14f5e379818ade0843b5c005844fcb9dcf216db88070258bd0dd7f5a 18183 gnome-keyring_3.4.1-5.debian.tar.gz
 2571b729382b478ea6022fe9a45d128f61cf63fd35b39a5e2ad00ea15a96381b 935506 gnome-keyring_3.4.1-5_amd64.deb
 ec2b7228d28bd531271dcb538a2ed600e37d32fa0311c516a1da66d3a5d03396 251224 libpam-gnome-keyring_3.4.1-5_amd64.deb
Files: 
 6a0911d091f0c72c9aa497d587df87c5 2316 gnome optional gnome-keyring_3.4.1-5.dsc
 a6c4893d4ab660046a125ba9209d9687 18183 gnome optional gnome-keyring_3.4.1-5.debian.tar.gz
 54139ff2ddd75d3f508c957d496ca3e3 935506 gnome optional gnome-keyring_3.4.1-5_amd64.deb
 e23cc168be94e77aa025e6f759dc2727 251224 admin optional libpam-gnome-keyring_3.4.1-5_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBCAAGBQJQMUhTAAoJEB/FiR66sEPVqdwH/399gEBQJMRBQtrzdA/veQyD
nF/WhCBIySC2wytfpvSqtNLXaMW99MWYnJee+0DwFEA4LEOjdHLJ5cxBXIcK7wN2
7pjtWa/l+Vus+0iVvKUPeFNVBioGKcY6dzETMshW9mEMHs1FbPYGbzPuyWZjBPTO
BSq/bOLkCRbl5BrHU+KVgu0IjoegoRwpAMaQ3RnHTGRXpG/zck6fKIH+4lZijDme
a4Wy+FMx0pBsCYMAx/vLRlS2OwNtMlpBK1Wzvj7T1udJo+cywlEU6eC0hC22MChy
JuXetF71ah05M8eeJ2TP027F2zbFfTzzv65S/76uUAbh0FTYtja7cjyKxizH9P4=
=XI09
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 27 Sep 2012 07:26:56 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 01:48:54 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.