Remote Login Service stores servers from previous user

Bug #1070896 reported by Ted Gould on 2012-10-24
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Remote Login Service
High
Unassigned
remote-login-service (Ubuntu)
High
Unassigned
Quantal
High
Marc Deslauriers
Raring
High
Unassigned

Bug Description

If a user logs into RLS and gets the servers, and then another user logs in, instead of deleting the previous users the rls service returns both sets of servers.

This is a security bug, but an unlikely one. It would require the user logging into RLS, then walking away from the machine without using the results. And then someone coming and logging into the same machine.

Related branches

lp:~aacid/remote-login-service/free_subservers_on_new_call
Merged into lp:remote-login-service at revision 77
Ted Gould: Approve on 2012-10-24
PS Jenkins bot: Pending (continuous-integration) requested 2012-10-24
lp:~ted/remote-login-service/ubuntu-cve
Ubuntu Desktop: Pending requested 2012-10-24

CVE References

Changed in remote-login-service:
status: In Progress → Fix Committed
Ted Gould (ted) on 2012-10-24
Changed in remote-login-service (Ubuntu):
status: New → Confirmed
Changed in remote-login-service:
importance: Undecided → High
Changed in remote-login-service (Ubuntu):
importance: Undecided → High
information type: Public → Public Security
Changed in remote-login-service (Ubuntu Quantal):
status: New → Confirmed
importance: Undecided → High
assignee: nobody → Marc Deslauriers (mdeslaur)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package remote-login-service - 1.0.0-0ubuntu1.1

---------------
remote-login-service (1.0.0-0ubuntu1.1) quantal-security; urgency=low

  * SECURITY UPDATE: credentials disclosure via second login (LP: #1070896)
    - debian/patches/01_clear_servers.patch: Clear servers on second login
      in src/uccs-server.c, add test to tests/dbus-interface.c.
    - CVE-2012-0959
 -- Marc Deslauriers <email address hidden> Mon, 05 Nov 2012 14:05:14 -0500

Changed in remote-login-service (Ubuntu Quantal):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package remote-login-service - 1.0.0-0ubuntu2

---------------
remote-login-service (1.0.0-0ubuntu2) raring; urgency=low

  * SECURITY UPDATE: credentials disclosure via second login (LP: #1070896)
    - debian/patches/01_clear_servers.patch: Clear servers on second login
      in src/uccs-server.c, add test to tests/dbus-interface.c.
    - CVE-2012-0959
 -- Marc Deslauriers <email address hidden> Mon, 05 Nov 2012 14:05:14 -0500

Changed in remote-login-service (Ubuntu Raring):
status: Confirmed → Fix Released
David Barth (dbarth) on 2012-11-19
Changed in remote-login-service:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers