Please check the attached patch applied on gnome-keyring 3.28. (see https://bug781486.bugzilla-attachments.gnome.org/attachment.cgi?id=350049)
-- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-keyring in Ubuntu. https://bugs.launchpad.net/bugs/1772919 Title: pam-gnome-keyring.so reveals user’s password credential as a plaintext form Status in gnome-keyring package in Ubuntu: New Bug description: When I perform memory dump of session-child process, user’s login credential, including user accounts and their password, is revealed as a plaintext form. In ‘pam_sm_authenticate’ function, user’s password is stored in the heap memory of ‘pam_handle->data” to perform unlock the keyring in later. After unlocking the keyring, the pam module does not free/overwrite the memory area though the password is no longer used. We thus could find user’s login credentials. This raises concerns over the credential being misused for illegal behavior, such as acquiring user’s session key. It would be better to clean the heap memory. ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: gnome-keyring 3.18.3-0ubuntu2 ProcVersionSignature: Ubuntu 4.13.0-36.40~16.04.1-generic 4.13.13 Uname: Linux 4.13.0-36-generic x86_64 ApportVersion: 2.20.1-0ubuntu2.15 Architecture: amd64 CurrentDesktop: Unity Date: Wed May 23 22:53:12 2018 InstallationDate: Installed on 2018-04-20 (32 days ago) InstallationMedia: Ubuntu 16.04.4 LTS "Xenial Xerus" - Release amd64 (20180228) SourcePackage: gnome-keyring UpgradeStatus: No upgrade log present (probably fresh install) upstart.gnome-keyring-ssh.log: grep: /home/sungjungk/.config/autostart/gnome-keyring-ssh.desktop: No such file or directory To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/1772919/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
