Python binding for gnomekeyring prevents password prompt on unlock
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Gnome Python Desktop |
Won't Fix
|
Medium
|
|||
gnome-python-desktop (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
According to the doc for gnomekeyring, passing a NULL password into gnome_keyring_
Passing None into Python's gnomekeyring.
---
$ cat h2.py
#!/usr/bin/env python
# From http://
import pygtk
pygtk.require(
import gtk # sets app name
import gnomekeyring
def hack():
keyring = "balancer.
gnomekeyrin
if __name__ == '__main__':
hack()
$ python h2.py
Traceback (most recent call last):
File "h2.py", line 14, in <module>
hack()
File "h2.py", line 11, in hack
gnomekeyrin
TypeError: unlock_sync() argument 2 must be string, not None
----
I expect the user to be prompted by the daemon.
This is a security vulnerability, as it forces apps to render their own password prompt, which may be spoofed by an attacker, rather than the (presumably) more secure trusted path of the daemon.
ProblemType: Bug
Architecture: i386
DistroRelease: Ubuntu 9.04
Package: python-
ProcEnviron:
PATH=(custom, user)
LANG=en_CA.UTF-8
SHELL=/bin/bash
SourcePackage: gnome-python-
Uname: Linux 2.6.28-15-generic i686
Changed in gnome-python-desktop (Ubuntu): | |
status: | New → Confirmed |
Changed in gnome-python-desktop: | |
importance: | Unknown → Medium |
status: | Unknown → New |
Changed in gnome-python-desktop: | |
status: | New → Won't Fix |
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find.