Bug#788422: gnome-core: Lock screen shows incorrect password in plain text briefly

[Andrew Gallagher]

Package: gnome-core
Version: 1:3.14+3
Severity: important

Dear Maintainer,

When unlocking the default screensaver, I typed in an incorrect password and it was shown
in plain text briefly as the text box greyed out. I have never seen this issue before, and
am not sure how to reproduce, but it is a serious security issue and therefore worth
reporting.

I will continue to try to reproduce.

Andrew.

-- System Information:
Debian Release: 8.0
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages gnome-core depends on:
ii  adwaita-icon-theme         3.14.0-2
ii  at-spi2-core               2.14.0-1
ii  baobab                     3.14.1-1
ii  caribou                    0.4.15-1
ii  caribou-antler             0.4.15-1
ii  dconf-gsettings-backend    0.22.0-1
ii  dconf-tools                0.22.0-1
ii  empathy                    3.12.7-1
ii  eog                        3.14.1-1
ii  evince                     3.14.1-2
ii  evolution-data-server      3.12.9~git20141128.5242b0-2+deb8u2
ii  fonts-cantarell            0.0.16-1
ii  gdm3                       3.14.1-7
ii  gkbd-capplet               3.6.0-1
ii  glib-networking            2.42.0-2
ii  gnome-backgrounds          3.14.1-1
ii  gnome-bluetooth            3.14.0-2
ii  gnome-calculator           3.14.1-1
ii  gnome-contacts             3.14.1-1
ii  gnome-control-center       1:3.14.2-3
ii  gnome-dictionary           3.14.1-1
ii  gnome-disk-utility         3.12.1-1+b1
ii  gnome-font-viewer          3.14.0-2
ii  gnome-keyring              3.14.0-1+b1
ii  gnome-menus                3.13.3-6
ii  gnome-online-accounts      3.14.2-1
ii  gnome-online-miners        3.14.0-2
ii  gnome-packagekit           3.14.0-1
ii  gnome-screenshot           3.14.0-1
ii  gnome-session              3.14.0-2
ii  gnome-settings-daemon      3.14.2-3
ii  gnome-shell                3.14.2-3+b1
ii  gnome-shell-extensions     3.14.2-1
ii  gnome-sushi                3.12.0-2+b1
ii  gnome-system-log           3.9.90-2
ii  gnome-system-monitor       3.14.1-1
ii  gnome-terminal             3.14.1-1
ii  gnome-themes-standard      3.14.2.2-1
ii  gnome-user-guide           3.14.1-1
ii  gnome-user-share           3.14.0-2
ii  gsettings-desktop-schemas  3.14.1-1
ii  gstreamer1.0-plugins-base  1.4.4-2
ii  gstreamer1.0-plugins-good  1.4.4-2
ii  gstreamer1.0-pulseaudio    1.4.4-2
ii  gtk2-engines               1:2.20.2-3
ii  gucharmap                  1:3.14.1-1
ii  gvfs-backends              1.22.2-1
ii  gvfs-bin                   1.22.2-1
ii  gvfs-fuse                  1.22.2-1
ii  iceweasel                  31.6.0esr-1
ii  libatk-adaptor             2.14.0-2
ii  libcanberra-pulse          0.30-2.1
ii  libcaribou-gtk-module      0.4.15-1
ii  libcaribou-gtk3-module     0.4.15-1
ii  libgtk-3-common            3.14.5-1
ii  libpam-gnome-keyring       3.14.0-1+b1
ii  metacity                   1:3.14.3-1
ii  mousetweaks                3.12.0-1
ii  nautilus                   3.14.1-2
ii  policykit-1-gnome          0.105-2
ii  pulseaudio                 5.0-13
ii  sound-theme-freedesktop    0.8-1
ii  totem                      3.14.0-2
ii  tracker-gui                1.2.4-2
ii  vino                       3.14.0-2+b1
ii  yelp                       3.14.1-1
ii  zenity                     3.14.0-1

Versions of packages gnome-core recommends:
ii  anacron                2.3-23
ii  network-manager-gnome  0.9.10.0-2

Versions of packages gnome-core suggests:
pn  gnome  <none>

-- no debconf information