Ubuntu
gnome-keyring package

Session keyring stored on disk in plain text

Bug #539180 reported by Torsten Spindler
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
GNOME Keyring
Fix Released
Medium
gnome-keyring (Ubuntu)
Fix Released
High
Canonical Desktop Team
Ubuntu ubuntu-10.04-beta-2
Lucid
Fix Released
High
Canonical Desktop Team
Ubuntu ubuntu-10.04-beta-2

Bug Description

Binary package hint: gnome-keyring

Using gnome session keyring passwords are stored in plain text on file, instead of merely in memory. When running the example set program, the password will be shown in plain text here: ~/.gnome2/keyrings/session.keyring

http://library.gnome.org/devel/platform-overview/stable/keyring.html.en
"The keyring manager also provides a session keyring. Items in the session keyring are never stored on disk, and are lost as soon as the user's session ends. The session keyring can be used to store passwords to be used in the current session only."

See original description
Revision history for this message
Torsten Spindler (tspindler) wrote :

Attached is an example program that sets and retrieves a password from the gnome session keyring.

Revision history for this message
Torsten Spindler (tspindler) wrote :

On Karmic the session keyring is not written on disk.

Kees Cook (kees)
tags: added: regression-potential
visibility: private → public
Changed in gnome-keyring (Ubuntu Lucid):
milestone: none → ubuntu-10.04-beta-2
status: New → Confirmed
importance: Undecided → High
Sebastien Bacher (seb128)
Changed in gnome-keyring (Ubuntu Lucid):
assignee: nobody → Canonical Desktop Team (canonical-desktop-team)
Kees Cook (kees)
description: updated
Revision history for this message
Torsten Spindler (tspindler) wrote :

This problem was detected by Dominik Fischer.

Revision history for this message
Sebastien Bacher (seb128) wrote :

the bug is fixed to git now and will be fixed in lucid with next upload too

Changed in gnome-keyring (Ubuntu Lucid):
status: Confirmed → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnome-keyring - 2.92.92git20100322-0ubuntu1

---------------
gnome-keyring (2.92.92git20100322-0ubuntu1) lucid; urgency=low

  * Upstream git snapshot:
    - "Don't save session keyring to disk".(lp: #539180)
    - better errors handling, fixes a crash (lp: #525410)
    - let "automatically unlock" unlock the keyring (lp: #526560)
  * debian/patches/04_remove_assert_on_va_list.patch:
    - the change is in the new version
 -- Sebastien Bacher <email address hidden> Mon, 22 Mar 2010 11:00:39 +0100

Changed in gnome-keyring (Ubuntu Lucid):
status: Fix Committed → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in gnome-keyring:
importance: Unknown → Medium
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.