org.gnome.evolution.dataserver.Source completely unveils account credentials in plain text while using dbus-monitor
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
evolution-data-server |
Fix Released
|
Unknown
|
|||
evolution-data-server (Ubuntu) |
Won't Fix
|
High
|
Unassigned |
Bug Description
Steps to reproduce:
1. Install Ubuntu 16.04 LTS
2. Install Evolution
3. Set-up Google account with default settings (this will end with e-mail and calendar)
4. Reboot
5. Open evolution Calendar and/or indicator-datetime
6. Launch `dbus-monitor`
Expected results:
* Evolution does not show account credentials in plain text in `dbus-monitor` output
Actual results:
* Evolution shows account credentials in plain text in `dbus-monitor` output:
method call time=1557268474
array [
string "password:
string "ssl-trust:"
]
method return time=1557268474
signal time=1557268474
array [
string "password:
string "ssl-trust:"
]
signal time=1557268520
array [
string "password:
string "ssl-trust:"
string "username:
]
signal time=1557268520
array [
string "password:
string "ssl-trust:"
string "username:
]
signal time=1557268520
array [
string "password:
string "ssl-trust:"
string "username:
]
-----
This is huge security flaw. The malicious script can parse `dbus-monitor` output...
Not sure about more recent Ubuntu and Evolution versions.
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: evolution-
ProcVersionSign
Uname: Linux 4.4.0-143-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.18
Architecture: amd64
CurrentDesktop: Unity
Date: Wed May 8 01:40:27 2019
InstallationDate: Installed on 2018-01-04 (488 days ago)
InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1)
PackageArchitec
SourcePackage: evolution-
UpgradeStatus: No upgrade log present (probably fresh install)
information type: | Private Security → Public Security |
Changed in evolution-data-server: | |
status: | Unknown → New |
Changed in evolution-data-server (Ubuntu): | |
importance: | Undecided → High |
status: | Incomplete → Triaged |
Changed in evolution-data-server: | |
status: | New → Fix Released |
Changed in evolution-data-server (Ubuntu): | |
status: | Triaged → Won't Fix |
I am not certain this consitutes a security vulnerability however I would be interested to know the upstream developers' opinions - could you please file a bug with the upstream project in this regard? https:/ /gitlab. gnome.org/ GNOME/evolution -data-server/ issues/ new?issue% 5Bassignee_ id%5D=& issue%5Bmilesto ne_id%5D=