Bug#1018899: gcr-prompter dumps secrets in syslog/journald
Antoine Beaupré
anarcat at debian.org
Tue Sep 6 14:50:05 BST 2022
On 2022-09-04 21:50:51, Simon McVittie wrote:
> On Thu, 01 Sep 2022 at 14:22:45 -0400, Antoine Beaupre wrote:
>> The bits marked [REDACTED] actually contains what looks like some sort
>> of secret key.
>
> As discussed on IRC, I *think* it's the public part of an asymmetric
> keypair, which would reduce the severity of this bug, but it still seems
> like a valid bug (gcr-prompter shouldn't be writing g_debug()-level logging
> to syslog).
Thanks for the clarification! Certainly reassuring...
>> I'm using a weird desktop here: i3wm started from systemd, with *some*
>> GNOME bits (e.g. network-manager and nm-applet, for example).
>
> This bug is probably only applicable in desktop environments that don't
> provide an integrated libsecret prompt (not GNOME, and possibly also not
> other major desktop environments like Plasma).
Right, that makes sense. For me, the workaround was to switch to
pinentry-qt which doesn't exhibit that behavior, with the alternatives
system:
update-alternatives --set pinentry-x11 /usr/bin/pinentry-qt
Thanks!
--
Conformity-the natural instinct to passively yield to that vague something
recognized as authority.
- Mark Twain
More information about the pkg-gnome-maintainers
mailing list