Bug 24480

Summary: gnome-keyring new security issue CVE-2018-20781
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, herman.viaene, jani.valimaa, marja11, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK
Source RPM: gnome-keyring-3.20.0-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2019-03-08 21:24:03 CET 
Ubuntu has issued an advisory on February 26:
https://usn.ubuntu.com/3894-1/

The issue was fixed upstream in 3.28.0.  The upstream patch is linked from:
https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20781.html
Marja Van Waes 2019-03-09 07:42:52 CET

Assignee: bugsquad => gnome
CC: (none) => marja11

Comment 1 David Walser 2019-03-09 17:29:18 CET 
Patched package uploaded for Mageia 6 by Jani.

Advisory:
========================

Updated gnome-keyring package fixes security vulnerability:

It was discovered that GNOME Keyring incorrectly cleared out credentials
supplied to the PAM module. A local attacker could possibly use this issue to
discover login credentials (CVE-2018-20781).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781
https://usn.ubuntu.com/3894-1/
========================

Updated packages in core/updates_testing:
========================
gnome-keyring-3.20.0-1.1.mga6

from gnome-keyring-3.20.0-1.1.mga6.src.rpm

CC: (none) => jani.valimaa
Assignee: gnome => qa-bugs

Comment 2 Herman Viaene 2019-03-12 11:19:31 CET 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues, updated existing package
Hunting for a testing method, found https://wiki.archlinux.org/index.php/GNOME/Keyring
and did following at CLI:
$ ssh-add -L
The agent has no identities.
]$ ssh-add ~/.ssh/id_rsa
/home/tester6/.ssh/id_rsa: No such file or directory
So, no keys present yet.
$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/tester6/.ssh/id_rsa): 
Created directory '/home/tester6/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/tester6/.ssh/id_rsa.
Your public key has been saved in /home/tester6/.ssh/id_rsa.pub.
The key fingerprint is:
and gives the key data.....

$ ssh-add ~/.ssh/id_rsa
Enter passphrase for /home/tester6/.ssh/id_rsa: 
Identity added: /home/tester6/.ssh/id_rsa (/home/tester6/.ssh/id_rsa)

$ ssh-copy-id herman@xxxx
Warning: Permanently added 'xxxx,aaa.bbb.ccc.ddd' (ECDSA) to the list of known hosts.
Password: 
Password: 
Password: 
herman@xxxx's password: 
Now try logging into the machine, with "ssh 'herman@xxxx'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

$ ssh 'herman@xxxx'
Last login: Mon Jan  7 16:27:46 2019 from 192.168.2.6

[herman@xxxx]$ pwd
/home/herman/

So the whole chain seems to work.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Dave Hodgins 2019-03-14 20:30:29 CET

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 3 Mageia Robot 2019-03-14 22:41:16 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0111.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED