Ubuntu
sudo package

authentication in livesession accepts any value as password

Bug #1395720 reported by Elfy on 2014-11-24
18
This bug affects 4 people
Affects Status Importance Assigned to Milestone
Catfish
Fix Released
Undecided
Sean Davis
Catfish 1.3.1
sudo (Ubuntu)
Fix Released
High
Unassigned
Also affects project (?) Also affects distribution/package Nominate for series

Bug Description

Boot livesession, open catfish and try to update the database.

Authentication dialogue accepts any value - rather than not want one. Livesession's being passwordless generally.

Tried with admin, test, abracadabra and amIgoinginsane - all were accepted and database was unlocked and updated.

ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: catfish 1.2.2-1
ProcVersionSignature: Ubuntu 3.16.0-24.32-generic 3.16.4
Uname: Linux 3.16.0-24-generic x86_64
ApportVersion: 2.14.7-0ubuntu10
Architecture: amd64
CasperVersion: 1.346
CurrentDesktop: XFCE
Date: Mon Nov 24 13:28:09 2014
LiveMediaBuild: Xubuntu 15.04 "Vivid Vervet" - Alpha amd64 (20141124)
PackageArchitecture: all
ProcEnviron:
 TERM=xterm
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: catfish
UpgradeStatus: No upgrade log present (probably fresh install)

Elfy (elfy) wrote :
Ubuntu QA Website (ubuntuqa) wrote :

This bug has been reported on the Ubuntu ISO testing tracker.

A list of all reports related to this bug can be found here:
http://iso.qa.ubuntu.com/qatracker/reports/bugs/1395720

tags: added: iso-testing
Ubuntu QA Website (ubuntuqa) wrote :

This bug has been reported on the Ubuntu Package testing tracker.

A list of all reports related to this bug can be found here:
http://packages.qa.ubuntu.com/qatracker/reports/bugs/1395720

tags: added: package-qa-testing
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in catfish (Ubuntu):
status: New → Confirmed
Lyn Perrine (walterorlin) wrote :

I was able to reproduce this in Lubuntu after installing catfish. I tried WeLoveAlladinSane as a password and it authentaticated.

Alberto Salvia Novella (es20490446e) on 2014-12-27
Changed in catfish (Ubuntu):
importance: Undecided → High
information type: Public → Public Security
Elfy (elfy) wrote :

given that if someone is able to only reproduce this in a livesession - and thus has physical access - not really a security issue - or if it is such - something that we're not able to deal with using software

Thaddaeus Tintenfisch (thad-fisch-deactivatedaccount) wrote :

Accepting any password in a password-less environment (live session) is not a security issue.

information type: Public Security → Public
Sean Davis (bluesabre) wrote :

Fixed at revision https://bazaar.launchpad.net/~catfish-search/catfish-search/trunk/revision/380

Changed in catfish-search:
status: New → Fix Committed
Sean Davis (bluesabre) on 2015-09-08
Changed in catfish-search:
milestone: none → 1.3.1
assignee: nobody → Sean Davis (bluesabre)
Sean Davis (bluesabre) on 2015-09-09
Changed in catfish-search:
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package catfish - 1.3.1-0ubuntu1

---------------
catfish (1.3.1-0ubuntu1) wily; urgency=medium

  * New upstream bugfix release
    - Fix: authentication in livesession accepts any
      value as password (LP: #1395720)
    - Fix: Catfish will lock up if 'locate' is not
      installed (LP: #1482919)
    - Fix: Catfish does not find files whose size
      exceeds 2GB (LP: #1442559)

 -- Sean Davis <email address hidden> Tue, 08 Sep 2015 20:54:13 -0400

Changed in catfish (Ubuntu):
status: Confirmed → Fix Released
Michael (mmcauliff1453) on 2015-09-14
affects: catfish (Ubuntu) → sudo (Ubuntu)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.
Subscribing...

Other bug subscribers