Bug 470728 – gdm shows autologin passwords in clear text

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 470728 - gdm shows autologin passwords in clear text


Summary:	gdm shows autologin passwords in clear text


Status:	RESOLVED FIXED

Product:	gdm
Classification:	Core
Component:	general
Version:	unspecified
Hardware:	Other Windows

Importance:	Normal normal
Target Milestone:	---
Assigned To:	GDM maintainers
QA Contact:	GDM maintainers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2007-08-27 15:44 UTC by Ray Strode [halfline]
Modified:	2007-08-28 00:17 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Ray Strode [halfline] 2007-08-27 15:44:39 UTC

The Red Hat security response team noticed a bug in Novell's bugzilla here:

https://bugzilla.novell.com/show_bug.cgi?id=302282

I investigated some and found that gdm doesn't properly hide passwords that are requested during autologin.

inside gdm_verify_standalone_pam_conv, it has this:

                case PAM_PROMPT_ECHO_OFF:
...
                       question_msg = g_strdup_printf
("question_msg=%s$$echo=%d", text, TRUE);

The TRUE there should be a FALSE, I think.

I think this is pretty low impact since autologin isn't supposed to ask for a password, afaik.

Comment 1 Brian Cameron 2007-08-27 22:43:32 UTC

Thanks.  Now fixed in SVN head and the 2.18 branch.