authentication in livesession accepts any value as password

Bug #1395720 reported by Elfy on 2014-11-24
18
This bug affects 4 people
Affects Status Importance Assigned to Milestone
Catfish
Fix Released
Undecided
Sean Davis
sudo (Ubuntu)
High
Unassigned

Bug Description

Boot livesession, open catfish and try to update the database.

Authentication dialogue accepts any value - rather than not want one. Livesession's being passwordless generally.

Tried with admin, test, abracadabra and amIgoinginsane - all were accepted and database was unlocked and updated.

ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: catfish 1.2.2-1
ProcVersionSignature: Ubuntu 3.16.0-24.32-generic 3.16.4
Uname: Linux 3.16.0-24-generic x86_64
ApportVersion: 2.14.7-0ubuntu10
Architecture: amd64
CasperVersion: 1.346
CurrentDesktop: XFCE
Date: Mon Nov 24 13:28:09 2014
LiveMediaBuild: Xubuntu 15.04 "Vivid Vervet" - Alpha amd64 (20141124)
PackageArchitecture: all
ProcEnviron:
 TERM=xterm
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: catfish
UpgradeStatus: No upgrade log present (probably fresh install)

Elfy (elfy) wrote :
Ubuntu QA Website (ubuntuqa) wrote :

This bug has been reported on the Ubuntu ISO testing tracker.

A list of all reports related to this bug can be found here:
http://iso.qa.ubuntu.com/qatracker/reports/bugs/1395720

tags: added: iso-testing
Ubuntu QA Website (ubuntuqa) wrote :

This bug has been reported on the Ubuntu Package testing tracker.

A list of all reports related to this bug can be found here:
http://packages.qa.ubuntu.com/qatracker/reports/bugs/1395720

tags: added: package-qa-testing
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in catfish (Ubuntu):
status: New → Confirmed
Lyn Perrine (walterorlin) wrote :

I was able to reproduce this in Lubuntu after installing catfish. I tried WeLoveAlladinSane as a password and it authentaticated.

Changed in catfish (Ubuntu):
importance: Undecided → High
information type: Public → Public Security
Elfy (elfy) wrote :

given that if someone is able to only reproduce this in a livesession - and thus has physical access - not really a security issue - or if it is such - something that we're not able to deal with using software

Accepting any password in a password-less environment (live session) is not a security issue.

information type: Public Security → Public
Sean Davis (bluesabre) wrote :
Changed in catfish-search:
status: New → Fix Committed
Sean Davis (bluesabre) on 2015-09-08
Changed in catfish-search:
milestone: none → 1.3.1
assignee: nobody → Sean Davis (bluesabre)
Sean Davis (bluesabre) on 2015-09-09
Changed in catfish-search:
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package catfish - 1.3.1-0ubuntu1

---------------
catfish (1.3.1-0ubuntu1) wily; urgency=medium

  * New upstream bugfix release
    - Fix: authentication in livesession accepts any
      value as password (LP: #1395720)
    - Fix: Catfish will lock up if 'locate' is not
      installed (LP: #1482919)
    - Fix: Catfish does not find files whose size
      exceeds 2GB (LP: #1442559)

 -- Sean Davis <email address hidden> Tue, 08 Sep 2015 20:54:13 -0400

Changed in catfish (Ubuntu):
status: Confirmed → Fix Released
Michael (mmcauliff1453) on 2015-09-14
affects: catfish (Ubuntu) → sudo (Ubuntu)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers