Ubuntu
gnome-keyring package

gnome-keyring reads unsafe SSH keys

Bug #714908 reported by Kees Cook
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
GNOME Keyring
Fix Released
Medium
gnome-keyring (Ubuntu)
Invalid
Medium
Unassigned
Ubuntu natty-updates
Natty
Invalid
Medium
Unassigned
Ubuntu natty-updates

Bug Description

Binary package hint: gnome-keyring

OpenSSH enforces that one's keys must be mode 0700 so that unsafe permissions do not go unnoticed. gnome-keyring should perform this check as well. It looks like pkcs11/ssh-store/gkm-ssh-private-key.c gkm_ssh_private_key_parse() is the place to do it, or possibly pkcs11/ssh-store/gkm-ssh-module.c file_load() since it checks some aspects of the files already.

ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: gnome-keyring 2.92.92.is.2.32.1-0ubuntu2
ProcVersionSignature: Ubuntu 2.6.37-12.26-generic 2.6.37
Uname: Linux 2.6.37-12-generic x86_64
Architecture: amd64
Date: Mon Feb 7 15:23:20 2011
ProcEnviron:
 LANGUAGE=en_US:en
 PATH=(custom, user)
 LANG=en_US.UTF-8
 LC_MESSAGES=en_US.utf8
 SHELL=/bin/bash
SourcePackage: gnome-keyring

Revision history for this message
Kees Cook (kees) wrote :
Changed in gnome-keyring (Ubuntu Natty):
milestone: none → natty-alpha-3
assignee: nobody → Canonical Desktop Team (canonical-desktop-team)
status: New → Confirmed
Kees Cook (kees)
Changed in gnome-keyring (Ubuntu Natty):
importance: Undecided → Medium
Revision history for this message
Martin Pitt (pitti) wrote :

Robert, do you have some time to look into this? If not, please bounce back to canonical-desktop-team, and I'll find someone else.

Thanks!

Changed in gnome-keyring (Ubuntu Natty):
assignee: Canonical Desktop Team (canonical-desktop-team) → Robert Ancell (robert-ancell)
milestone: natty-alpha-3 → ubuntu-11.04-beta
status: Confirmed → Triaged
Revision history for this message
Robert Ancell (robert-ancell) wrote :

Forwarded upstream with a suggested solution:
https://bugzilla.gnome.org/show_bug.cgi?id=642008

Bug Watch Updater (bug-watch-updater)
Changed in gnome-keyring:
importance: Unknown → Medium
status: Unknown → New
Revision history for this message
Robert Ancell (robert-ancell) wrote :

This is unlikely to be complete for Natty due the the multiple layers and UI that have to be modified, reassigning for Oneiric

Revision history for this message
Kees Cook (kees) wrote :

I don't think UI work is needed for Natty -- just failing when the permissions are bad is sufficient.

Revision history for this message
Robert Ancell (robert-ancell) wrote :

This would be really bad behaviour without UI - keys that were rejected due to permissions would stop working with no indication to the user at all. Upstream is in agreement about this.

Sebastien Bacher (seb128)
Changed in gnome-keyring (Ubuntu Natty):
milestone: ubuntu-11.04-beta-1 → ubuntu-11.04-beta-2
Kate Stewart (kate.stewart)
Changed in gnome-keyring (Ubuntu Natty):
milestone: ubuntu-11.04-beta-2 → natty-updates
Revision history for this message
dino99 (9d9) wrote :

https://wiki.ubuntu.com/Releases

Changed in gnome-keyring (Ubuntu Natty):
status: Triaged → Invalid
tags: removed: natty
Robert Ancell (robert-ancell)
Changed in gnome-keyring (Ubuntu Natty):
assignee: Robert Ancell (robert-ancell) → nobody
Changed in gnome-keyring (Ubuntu):
assignee: Robert Ancell (robert-ancell) → nobody
Revision history for this message
dino99 (9d9) wrote :

expired version, and openssl has been widely reworked lately.

Changed in gnome-keyring (Ubuntu):
status: Triaged → Invalid
Bug Watch Updater (bug-watch-updater)
Changed in gnome-keyring:
status: New → Confirmed
Bug Watch Updater (bug-watch-updater)
Changed in gnome-keyring:
status: Confirmed → Fix Released
Revision history for this message
api.ng (hektve) wrote : bugreport-N2G47H-2018-03-15-12-42-02.zip

Build info: cv1_lao_com-user 7.1.2 N2G47H 173411504b0cf release-keysSerial number: LMX210G29468a76

Sent from my MetroPCS 4G LTE Android device

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.