Remote Login Service

Remote Login Service stores servers from previous user

Bug #1070896 reported by Ted Gould
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Remote Login Service
Fix Released
High
Unassigned
remote-login-service (Ubuntu)
Fix Released
High
Unassigned
Quantal
Fix Released
High
Marc Deslauriers
Raring
Fix Released
High
Unassigned

Bug Description

If a user logs into RLS and gets the servers, and then another user logs in, instead of deleting the previous users the rls service returns both sets of servers.

This is a security bug, but an unlikely one. It would require the user logging into RLS, then walking away from the machine without using the results. And then someone coming and logging into the same machine.

Related branches

lp:~aacid/remote-login-service/free_subservers_on_new_call
Ted Gould (community): Approve
PS Jenkins bot: Pending (continuous-integration) requested
Diff: 31 lines (+7/-0)
2 files modified
src/uccs-server.c (+4/-0)
tests/dbus-interface.c (+3/-0)
lp:~ted/remote-login-service/ubuntu-cve
Ubuntu Desktop: Pending requested
Diff: 57 lines (+39/-0)
3 files modified
debian/changelog (+6/-0)
debian/patches/01_clear_servers.patch (+32/-0)
debian/patches/series (+1/-0)
lp:ubuntu/raring-proposed/remote-login-service
lp:ubuntu/quantal-security/remote-login-service

CVE References

PS Jenkins bot (ps-jenkins)
Changed in remote-login-service:
status: In Progress → Fix Committed
Ted Gould (ted)
Changed in remote-login-service (Ubuntu):
status: New → Confirmed
Changed in remote-login-service:
importance: Undecided → High
Changed in remote-login-service (Ubuntu):
importance: Undecided → High
information type: Public → Public Security
Marc Deslauriers (mdeslaur)
Changed in remote-login-service (Ubuntu Quantal):
status: New → Confirmed
importance: Undecided → High
assignee: nobody → Marc Deslauriers (mdeslaur)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package remote-login-service - 1.0.0-0ubuntu1.1

---------------
remote-login-service (1.0.0-0ubuntu1.1) quantal-security; urgency=low

  * SECURITY UPDATE: credentials disclosure via second login (LP: #1070896)
    - debian/patches/01_clear_servers.patch: Clear servers on second login
      in src/uccs-server.c, add test to tests/dbus-interface.c.
    - CVE-2012-0959
 -- Marc Deslauriers <email address hidden> Mon, 05 Nov 2012 14:05:14 -0500

Changed in remote-login-service (Ubuntu Quantal):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package remote-login-service - 1.0.0-0ubuntu2

---------------
remote-login-service (1.0.0-0ubuntu2) raring; urgency=low

  * SECURITY UPDATE: credentials disclosure via second login (LP: #1070896)
    - debian/patches/01_clear_servers.patch: Clear servers on second login
      in src/uccs-server.c, add test to tests/dbus-interface.c.
    - CVE-2012-0959
 -- Marc Deslauriers <email address hidden> Mon, 05 Nov 2012 14:05:14 -0500

Changed in remote-login-service (Ubuntu Raring):
status: Confirmed → Fix Released
David Barth (dbarth)
Changed in remote-login-service:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.