CVE-2012-6111
Published: 20 December 2019
gnome-keyring does not discard stored secrets when using gnome_keyring_lock_all_sync function
Notes
Author | Note |
---|---|
mdeslaur | In hardy, gnome_keyring_lock_all_sync() was in the gnome-keyring package, and works as expected. In 2.30+ in Lucid+, gnome_keyring_lock_all_sync() is in libgnome-keyring and sends a LockService DBus call to gnome-keyring. This call isn't implemented in lucid+ Nothing in the archive in Oneiric+ actually uses gnome_keyring_lock_all_sync(), so this is low. In Lucid, gnome-power-manager calls this before suspend and hibernation with the intention of locking the keyring. Fixing this in Lucid would result in the user likely having to retype their keyring password when coming out of suspend and hibernation, which is an intrusive change this late in Lucid's lifecycle. Setting this issue as priority low for the reasons above. |
Priority
Status
Package | Release | Status |
---|---|---|
gnome-keyring Launchpad, Ubuntu, Debian |
artful |
Ignored
(end of life)
|
bionic |
Not vulnerable
(3.28.0.2-1ubuntu1.18.04.1)
|
|
cosmic |
Not vulnerable
(3.28.2-0ubuntu1)
|
|
hardy |
Ignored
(end of life)
|
|
lucid |
Ignored
(end of life)
|
|
oneiric |
Ignored
(end of life)
|
|
precise |
Ignored
(end of life)
|
|
quantal |
Ignored
(end of life)
|
|
raring |
Ignored
(end of life)
|
|
saucy |
Ignored
(end of life)
|
|
trusty |
Does not exist
(trusty was not-affected [3.10.1-1ubuntu4.3])
|
|
upstream |
Needed
|
|
utopic |
Ignored
(end of life)
|
|
vivid |
Ignored
(end of life)
|
|
wily |
Ignored
(end of life)
|
|
xenial |
Not vulnerable
(3.18.3-0ubuntu2)
|
|
yakkety |
Ignored
(end of life)
|
|
zesty |
Ignored
(end of life)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.5 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | None |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |