gnome-keyring has an inadequate man page and employs insecure defaults for GPG passphrase caching
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
GNOME Keyring |
Fix Released
|
Medium
|
|||
gnome-keyring (Ubuntu) |
Fix Released
|
Wishlist
|
Unassigned |
Bug Description
The GCR package has no man page or other documentation that would explain how the GPG passphrase caching is configured.
For a package that deals with a critical piece of security infrastructure that is not acceptable.
It defaults to caching GPG passphrases for the whole session which again is not good security practice.
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: gcr 3.10.1-1
ProcVersionSign
Uname: Linux 3.13.0-27-generic x86_64
NonfreeKernelMo
ApportVersion: 2.14.1-0ubuntu3.2
Architecture: amd64
CurrentDesktop: XFCE
Date: Tue Jun 3 09:17:51 2014
InstallationDate: Installed on 2014-04-24 (39 days ago)
InstallationMedia: Xubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140416.2)
SourcePackage: gcr
UpgradeStatus: No upgrade log present (probably fresh install)
information type: | Private Security → Public Security |
Changed in gcr (Ubuntu): | |
status: | New → Confirmed |
importance: | Undecided → Wishlist |
Changed in gnome-keyring: | |
importance: | Unknown → Medium |
status: | Unknown → New |
Changed in gnome-keyring: | |
status: | New → Confirmed |
Changed in gnome-keyring: | |
status: | Confirmed → Fix Released |
So why does this get importance undecided?
This silly thing has a direct security impact.