Bugzilla – Bug 892382
VUL-1: CVE-2012-6655: accountsservice: local encrypted password disclosure when changing password
Last modified: 2020-06-04 13:05:27 UTC
Via bugs.freedesktop.org: Calling SetPassword() on the AccountsService results in a crypted password included on the command line. This seems to me to be minor security hole. It is the equivalent of having /etc/shadow readable by non-root users (albeit only for those who change their password via the AccountsService). Any other local user can (in a default linux configuration) see the command lines of any other process on the system. The relevant code is in src/user.c in the user_change_password_authorized_cb() function: argv[0] = "/usr/sbin/usermod"; argv[1] = "-p"; argv[2] = strings[0]; argv[3] = "--"; argv[4] = user->user_name; argv[5] = NULL; strings[0] has been set to the crypted password in user_set_password(). The crypted password has been passed from the client (ie: gnome-control-center). CVE-2012-6655 was assigned to this issue. References: https://bugs.freedesktop.org/show_bug.cgi?id=55000 http://openwall.com/lists/oss-security/2014/08/16/7 https://bugzilla.redhat.com/show_bug.cgi?id=1130538
This needs to be fixed for openSUSE 12.3 and 13.1. (+SLE-12)
bugbot adjusting priority
Passing on to Frederic - maybe you find somebody to actually dig into this (it's likely still an issue in SLE12?!)
The bug is not fixed by upstream yet. So probably still an issue in TW too..