Debian Bug report logs -
#683655
gnome-keyring: gpg passphrase cached forever
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Josselin Mouette <joss@debian.org>:
Bug#683655; Package gnome-keyring.
(Thu, 02 Aug 2012 14:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Julien Cristau <jcristau@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Josselin Mouette <joss@debian.org>.
(Thu, 02 Aug 2012 14:51:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: gnome-keyring
Version: 3.4.1-4
Severity: grave
Tags: security
Justification: user security hole
At some point gnome-keyring seemed to obey the configuration asking it
to stop caching passphrases after a while. It no longer does.
$ gsettings list-recursively org.gnome.crypto.cache
org.gnome.crypto.cache gpg-cache-authorize false
org.gnome.crypto.cache gpg-cache-method 'idle'
org.gnome.crypto.cache gpg-cache-ttl 600
Yet I'm never asked for the passphrase again.
Cheers,
Julien
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'unstable'), (500, 'stable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages gnome-keyring depends on:
ii dbus-x11 1.6.2-2
ii dconf-gsettings-backend [gsettings-backend] 0.12.1-2
ii gcr 3.4.1-3
ii libc6 2.13-35
ii libcap-ng0 0.6.6-2
ii libcap2-bin 1:2.22-1.1
ii libdbus-1-3 1.6.2-2
ii libgck-1-0 3.4.1-3
ii libgcr-3-1 3.4.1-3
ii libgcrypt11 1.5.0-3
ii libglib2.0-0 2.32.3-1
ii libgtk-3-0 3.4.2-2
Versions of packages gnome-keyring recommends:
ii libpam-gnome-keyring 3.4.1-4
gnome-keyring suggests no packages.
-- no debconf information
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Josselin Mouette <joss@debian.org>:
Bug#683655; Package gnome-keyring.
(Thu, 02 Aug 2012 15:12:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Roland Mas <lolando@debian.org>:
Extra info received and forwarded to list. Copy sent to Josselin Mouette <joss@debian.org>.
(Thu, 02 Aug 2012 15:12:02 GMT) (full text, mbox, link).
Message #10 received at 683655@bugs.debian.org (full text, mbox, reply):
Slightly different settings, but similar behaviour here:
$ gsettings list-recursively org.gnome.crypto.cache
org.gnome.crypto.cache gpg-cache-authorize false
org.gnome.crypto.cache gpg-cache-method 'timeout'
org.gnome.crypto.cache gpg-cache-ttl 60
Roland.
--
Roland Mas
Despite rumour, Death isn't cruel - merely terribly, terribly good at his job.
-- in Sourcery (Terry Pratchett)
Added tag(s) fixed-upstream.
Request was from bts-link-upstream@lists.alioth.debian.org
to control@bugs.debian.org.
(Fri, 10 Aug 2012 09:51:24 GMT) (full text, mbox, link).
Reply sent
to Laurent Bigonville <bigon@debian.org>:
You have taken responsibility.
(Sun, 19 Aug 2012 21:06:11 GMT) (full text, mbox, link).
Notification sent
to Julien Cristau <jcristau@debian.org>:
Bug acknowledged by developer.
(Sun, 19 Aug 2012 21:06:11 GMT) (full text, mbox, link).
Message #19 received at 683655-close@bugs.debian.org (full text, mbox, reply):
Source: gnome-keyring
Source-Version: 3.4.1-5
We believe that the bug you reported is fixed in the latest version of
gnome-keyring, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 683655@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laurent Bigonville <bigon@debian.org> (supplier of updated gnome-keyring package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 19 Aug 2012 22:01:53 +0200
Source: gnome-keyring
Binary: gnome-keyring libpam-gnome-keyring
Architecture: source amd64
Version: 3.4.1-5
Distribution: unstable
Urgency: low
Maintainer: Josselin Mouette <joss@debian.org>
Changed-By: Laurent Bigonville <bigon@debian.org>
Description:
gnome-keyring - GNOME keyring services (daemon and tools)
libpam-gnome-keyring - PAM module to unlock the GNOME keyring upon login
Closes: 683655
Changes:
gnome-keyring (3.4.1-5) unstable; urgency=low
.
* d/p/0001-schema-Update-description-for-gpg-cache-method.patch,
d/p/0002-gpg-agent-Hook-up-the-TTL-cache-option.patch,
d/p/0003-secret-store-Mark-a-secret-item-as-used-when-accesse.patch:
Properly expire caching of the GPG passphrases (Taken from upstream)
(Closes: #683655, CVE-2012-3466)
Checksums-Sha1:
e1764fb4c9685d5f5591e014ef8c65e33c29d706 2316 gnome-keyring_3.4.1-5.dsc
0b7a75cc0949fe5968fb3f10d9e5e6fc5c73dcd0 18183 gnome-keyring_3.4.1-5.debian.tar.gz
79b6e0ca8456f28f049e7a46a3ee2a384966fe97 935506 gnome-keyring_3.4.1-5_amd64.deb
919660dd51bc36f6d85878ea57131f8ded50c8f6 251224 libpam-gnome-keyring_3.4.1-5_amd64.deb
Checksums-Sha256:
aee4370f0e26074ba9f79fd7d01f845409fc4b60ec8f7822b9b658bb3b388c3c 2316 gnome-keyring_3.4.1-5.dsc
ee2986fc14f5e379818ade0843b5c005844fcb9dcf216db88070258bd0dd7f5a 18183 gnome-keyring_3.4.1-5.debian.tar.gz
2571b729382b478ea6022fe9a45d128f61cf63fd35b39a5e2ad00ea15a96381b 935506 gnome-keyring_3.4.1-5_amd64.deb
ec2b7228d28bd531271dcb538a2ed600e37d32fa0311c516a1da66d3a5d03396 251224 libpam-gnome-keyring_3.4.1-5_amd64.deb
Files:
6a0911d091f0c72c9aa497d587df87c5 2316 gnome optional gnome-keyring_3.4.1-5.dsc
a6c4893d4ab660046a125ba9209d9687 18183 gnome optional gnome-keyring_3.4.1-5.debian.tar.gz
54139ff2ddd75d3f508c957d496ca3e3 935506 gnome optional gnome-keyring_3.4.1-5_amd64.deb
e23cc168be94e77aa025e6f759dc2727 251224 admin optional libpam-gnome-keyring_3.4.1-5_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBCAAGBQJQMUhTAAoJEB/FiR66sEPVqdwH/399gEBQJMRBQtrzdA/veQyD
nF/WhCBIySC2wytfpvSqtNLXaMW99MWYnJee+0DwFEA4LEOjdHLJ5cxBXIcK7wN2
7pjtWa/l+Vus+0iVvKUPeFNVBioGKcY6dzETMshW9mEMHs1FbPYGbzPuyWZjBPTO
BSq/bOLkCRbl5BrHU+KVgu0IjoegoRwpAMaQ3RnHTGRXpG/zck6fKIH+4lZijDme
a4Wy+FMx0pBsCYMAx/vLRlS2OwNtMlpBK1Wzvj7T1udJo+cywlEU6eC0hC22MChy
JuXetF71ah05M8eeJ2TP027F2zbFfTzzv65S/76uUAbh0FTYtja7cjyKxizH9P4=
=XI09
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 27 Sep 2012 07:26:56 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:09:07 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon