Created attachment 262950 [details] [review]
possible patch from red hat

Hello!
At first I have to mention that I doesn't found a bug-reort or patch for this upstream. Because this is a massive security issue I marked this bug as blocker, same as Fedora did, despite the fact that this is already released as upstream-stable (please feel free change to critical if needed).

It is possible to see the password of a logged in user, while switching between users and locking the screen. Fedora marked this bug as blocker for the release of Fedora 20 and patch is available.


Additional info:
* package version(s): 3.10.0.1-1 (archlinux)
* sources:
https://bugzilla.redhat.com/show_bug.cgi?id=1034031
https://bugs.archlinux.org/task/37930
https://git.gnome.org/browse/gdm/log/ # no current patch ?

Steps to reproduce (seem the simplest way to trigger):
1.Log in as 'user01'
2. Switch user to 'user02'
3. Switch user to 'user01'
4. Lock screen of user 'user01'
5. From the unlock dialog, hit "Log in as a different user"
6. Right click on password field -> Show password!

Questions:
Can we expect the attached patch from Red Hat as officiall upstream solution?

From my basic point-of-view a password should reside in main-memory not longer than strictly needed. Is this violated in this case?

Thank you