Ubuntu
sudo package

authentication in livesession accepts any value as password

Bug #1395720 reported by Elfy
18
This bug affects 4 people
Affects Status Importance Assigned to Milestone
Catfish
Fix Released
Undecided
Sean Davis
Catfish 1.3.1
sudo (Ubuntu)
Fix Released
High
Unassigned

Bug Description

Boot livesession, open catfish and try to update the database.

Authentication dialogue accepts any value - rather than not want one. Livesession's being passwordless generally.

Tried with admin, test, abracadabra and amIgoinginsane - all were accepted and database was unlocked and updated.

ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: catfish 1.2.2-1
ProcVersionSignature: Ubuntu 3.16.0-24.32-generic 3.16.4
Uname: Linux 3.16.0-24-generic x86_64
ApportVersion: 2.14.7-0ubuntu10
Architecture: amd64
CasperVersion: 1.346
CurrentDesktop: XFCE
Date: Mon Nov 24 13:28:09 2014
LiveMediaBuild: Xubuntu 15.04 "Vivid Vervet" - Alpha amd64 (20141124)
PackageArchitecture: all
ProcEnviron:
 TERM=xterm
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: catfish
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Elfy (elfy) wrote :
Revision history for this message
Ubuntu QA Website (ubuntuqa) wrote :

This bug has been reported on the Ubuntu ISO testing tracker.

A list of all reports related to this bug can be found here:
http://iso.qa.ubuntu.com/qatracker/reports/bugs/1395720

tags: added: iso-testing
Revision history for this message
Ubuntu QA Website (ubuntuqa) wrote :

This bug has been reported on the Ubuntu Package testing tracker.

A list of all reports related to this bug can be found here:
http://packages.qa.ubuntu.com/qatracker/reports/bugs/1395720

tags: added: package-qa-testing
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in catfish (Ubuntu):
status: New → Confirmed
Revision history for this message
Lyn Perrine (walterorlin) wrote :

I was able to reproduce this in Lubuntu after installing catfish. I tried WeLoveAlladinSane as a password and it authentaticated.

Alberto Salvia Novella (es20490446e)
Changed in catfish (Ubuntu):
importance: Undecided → High
information type: Public → Public Security
Revision history for this message
Elfy (elfy) wrote :

given that if someone is able to only reproduce this in a livesession - and thus has physical access - not really a security issue - or if it is such - something that we're not able to deal with using software

Revision history for this message
Thaddaeus Tintenfisch (thad-fisch-deactivatedaccount) wrote :

Accepting any password in a password-less environment (live session) is not a security issue.

information type: Public Security → Public
Revision history for this message
Sean Davis (bluesabre) wrote :

Fixed at revision https://bazaar.launchpad.net/~catfish-search/catfish-search/trunk/revision/380

Changed in catfish-search:
status: New → Fix Committed
Sean Davis (bluesabre)
Changed in catfish-search:
milestone: none → 1.3.1
assignee: nobody → Sean Davis (bluesabre)
Sean Davis (bluesabre)
Changed in catfish-search:
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package catfish - 1.3.1-0ubuntu1

---------------
catfish (1.3.1-0ubuntu1) wily; urgency=medium

  * New upstream bugfix release
    - Fix: authentication in livesession accepts any
      value as password (LP: #1395720)
    - Fix: Catfish will lock up if 'locate' is not
      installed (LP: #1482919)
    - Fix: Catfish does not find files whose size
      exceeds 2GB (LP: #1442559)

 -- Sean Davis <email address hidden> Tue, 08 Sep 2015 20:54:13 -0400

Changed in catfish (Ubuntu):
status: Confirmed → Fix Released
Michael (mmcauliff1453)
affects: catfish (Ubuntu) → sudo (Ubuntu)
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.