Bug#1018899: gcr-prompter dumps secrets in syslog/journald

Thu Sep 1 19:22:45 BST 2022

Package: gcr
Version: 3.41.1-1
Severity: important

It looks like some secrets are leaking from the gcr program into my
system logs. I see this when GnuPG triggers a password prompt:

sep 01 13:45:47 emma gcr-prompter[7681]: Gcr: received BeginPrompting call from callback /org/gnome/keyring/Prompt/p0@:1.40
sep 01 13:45:47 emma gcr-prompter[7681]: Gcr: preparing a prompt for callback /org/gnome/keyring/Prompt/p0@:1.40
sep 01 13:45:47 emma gcr-prompter[7681]: Gcr: creating new GcrPromptDialog prompt
sep 01 13:45:47 emma gcr-prompter[7681]: Gcr: automatically selecting secret exchange protocol
sep 01 13:45:47 emma gcr-prompter[7681]: Gcr: generating public key
sep 01 13:45:47 emma gcr-prompter[7681]: Gcr: beginning the secret exchange: [sx-aes-1]\npublic=[REDACTED]\n
sep 01 13:45:47 emma gcr-prompter[7681]: Gcr: calling the PromptReady method on /org/gnome/keyring/Prompt/p0@:1.40
sep 01 13:45:47 emma gcr-prompter[7681]: Gcr: returned from the PromptReady method on /org/gnome/keyring/Prompt/p0@:1.40
sep 01 13:45:47 emma gcr-prompter[7681]: Gcr: received PerformPrompt call from callback /org/gnome/keyring/Prompt/p0@:1.40
sep 01 13:45:47 emma gcr-prompter[7681]: Gcr: stopping prompting for operation /org/gnome/keyring/Prompt/p0@:1.40
sep 01 13:45:47 emma gcr-prompter[7681]: Gcr: closing the prompt
sep 01 13:45:47 emma gcr-prompter[7681]: Gcr: stopping prompting for operation /org/gnome/keyring/Prompt/p0@:1.40
sep 01 13:45:47 emma gcr-prompter[7681]: Gcr: couldn't find the callback for prompting operation /org/gnome/keyring/Prompt/p0@:1.40
sep 01 13:45:47 emma gcr-prompter[7681]: Gcr: stopping prompting for operation /org/gnome/keyring/Prompt/p0@:1.40
sep 01 13:45:47 emma gcr-prompter[7681]: Gcr: couldn't find the callback for prompting operation /org/gnome/keyring/Prompt/p0@:1.40
sep 01 13:45:47 emma gcr-prompter[7681]: Gcr: stopping prompting for operation /org/gnome/keyring/Prompt/p0@:1.40
sep 01 13:45:47 emma gcr-prompter[7681]: Gcr: couldn't find the callback for prompting operation /org/gnome/keyring/Prompt/p0@:1.40
sep 01 13:45:47 emma gcr-prompter[7681]: Gcr: calling the PromptDone method on /org/gnome/keyring/Prompt/p0@:1.40, and ignoring reply
sep 01 13:45:47 emma gcr-prompter[7681]: Gcr: received BeginPrompting call from callback /org/gnome/keyring/Prompt/p1@:1.42
sep 01 13:45:47 emma gcr-prompter[7681]: Gcr: preparing a prompt for callback /org/gnome/keyring/Prompt/p1@:1.42
sep 01 13:45:47 emma gcr-prompter[7681]: Gcr: creating new GcrPromptDialog prompt
sep 01 13:45:47 emma gcr-prompter[7681]: Gcr: automatically selecting secret exchange protocol
sep 01 13:45:47 emma gcr-prompter[7681]: Gcr: generating public key
sep 01 13:45:47 emma gcr-prompter[7681]: Gcr: beginning the secret exchange: [sx-aes-1]\npublic=[REDACTED]\n
sep 01 13:45:47 emma gcr-prompter[7681]: Gcr: calling the PromptReady method on /org/gnome/keyring/Prompt/p1@:1.42
sep 01 13:45:47 emma gcr-prompter[7681]: Gcr: returned from the PromptReady method on /org/gnome/keyring/Prompt/p1@:1.42
sep 01 13:45:47 emma gcr-prompter[7681]: Gcr: received PerformPrompt call from callback /org/gnome/keyring/Prompt/p1@:1.42
sep 01 13:45:47 emma gcr-prompter[7681]: Gcr: receiving secret exchange: [sx-aes-1]\npublic=[REDACTED]\n
sep 01 13:45:47 emma gcr-prompter[7681]: Gcr: deriving shared transport key
sep 01 13:45:47 emma gcr-prompter[7681]: Gcr: deriving transport key
sep 01 13:45:47 emma gcr-prompter[7681]: Gcr: starting password prompt for callback /org/gnome/keyring/Prompt/p1@:1.42
sep 01 13:45:49 emma gcr-prompter[7681]: Gcr: completed password prompt for callback :1.42@/org/gnome/keyring/Prompt/p1
sep 01 13:45:49 emma gcr-prompter[7681]: Gcr: encrypting data
sep 01 13:45:49 emma gcr-prompter[7681]: Gcr: sending the secret exchange: [sx-aes-1]\npublic=[REDACTED]\n
sep 01 13:45:49 emma gcr-prompter[7681]: Gcr: calling the PromptReady method on /org/gnome/keyring/Prompt/p1@:1.42
sep 01 13:45:49 emma gcr-prompter[7681]: Gcr: returned from the PromptReady method on /org/gnome/keyring/Prompt/p1@:1.42
sep 01 13:45:49 emma gcr-prompter[7681]: Gcr: received PerformPrompt call from callback /org/gnome/keyring/Prompt/p1@:1.42
sep 01 13:45:49 emma gcr-prompter[7681]: Gcr: stopping prompting for operation /org/gnome/keyring/Prompt/p1@:1.42
sep 01 13:45:49 emma gcr-prompter[7681]: Gcr: closing the prompt
sep 01 13:45:49 emma gcr-prompter[7681]: Gcr: stopping prompting for operation /org/gnome/keyring/Prompt/p1@:1.42
sep 01 13:45:49 emma gcr-prompter[7681]: Gcr: couldn't find the callback for prompting operation /org/gnome/keyring/Prompt/p1@:1.42
sep 01 13:45:49 emma gcr-prompter[7681]: Gcr: stopping prompting for operation /org/gnome/keyring/Prompt/p1@:1.42
sep 01 13:45:49 emma gcr-prompter[7681]: Gcr: couldn't find the callback for prompting operation /org/gnome/keyring/Prompt/p1@:1.42
sep 01 13:45:49 emma gcr-prompter[7681]: Gcr: stopping prompting for operation /org/gnome/keyring/Prompt/p1@:1.42
sep 01 13:45:49 emma gcr-prompter[7681]: Gcr: couldn't find the callback for prompting operation /org/gnome/keyring/Prompt/p1@:1.42
sep 01 13:45:49 emma gcr-prompter[7681]: Gcr: calling the PromptDone method on /org/gnome/keyring/Prompt/p1@:1.42, and ignoring reply
sep 01 13:45:59 emma gcr-prompter[7681]: Gcr: 10 second inactivity timeout, quitting
sep 01 13:45:59 emma gcr-prompter[7681]: Gcr: unregistering prompter
sep 01 13:45:59 emma gcr-prompter[7681]: Gcr: disposing prompter
sep 01 13:45:59 emma gcr-prompter[7681]: Gcr: finalizing prompter

The bits marked [REDACTED] actually contains what looks like some sort
of secret key. I am not familiar with how this program works, but this
looks like a bad idea to write that in logs.

I'm using a weird desktop here: i3wm started from systemd, with *some*
GNOME bits (e.g. network-manager and nm-applet, for example).

-- System Information:
Debian Release: bookworm/sid
  APT prefers testing
  APT policy: (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.18.0-4-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gcr depends on:
ii  dbus-user-session [default-dbus-session-bus]  1.14.0-2
ii  dbus-x11 [dbus-session-bus]                   1.14.0-2
ii  dconf-gsettings-backend [gsettings-backend]   0.40.0-3
ii  init-system-helpers                           1.64
ii  libc6                                         2.34-4
ii  libgck-1-0                                    3.41.1-1
ii  libgcr-base-3-1                               3.41.1-1
ii  libgcr-ui-3-1                                 3.41.1-1
ii  libglib2.0-0                                  2.72.3-1+b1
ii  libgtk-3-0                                    3.24.34-3
ii  libsecret-1-0                                 0.20.5-2
ii  libsystemd0                                   251.3-1

gcr recommends no packages.

gcr suggests no packages.

-- no debconf information