[pkg-lxqt-devel] Bug#933939: lxqt-policykit: With two-factor auth the password is displayed in cleartext
Jörg Kurlbaum
jkur+debian at corsario.org
Mon Aug 5 11:20:11 BST 2019
Package: lxqt-policykit
Version: 0.14.1-1
Severity: important
Tags: upstream
Dear Maintainer,
the lxqtpolicykit-agent GUI has a flaw in displaying sensitive
information when using U2F as an additional quth backend.
Patches are available here:
https://github.com/jkur/lxqt-policykit/tree/dontshowpass
The point is, that the QlineEdit still knows about the password in
repeated invocations and displays it as a default text.
* What led up to the situation?
Using the lxqt-policykit-agent with two-factor auth based on pam-u2f
* What was the outcome of this action?
The password is displayed in plaintext in the GUI
* What outcome did you expect instead?
Don't show any sensitive information
-- System Information:
Debian Release: 10.0
APT prefers stable
APT policy: (1001, 'stable'), (150, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages lxqt-policykit depends on:
ii libc6 2.28-10
ii liblxqt0 0.14.1-1
ii libpolkit-qt5-1-1 0.112.0-6
ii libqt5core5a 5.11.3+dfsg1-1
ii libqt5gui5 5.11.3+dfsg1-1
ii libqt5widgets5 5.11.3+dfsg1-1
ii libstdc++6 8.3.0-6
ii lxqt-session 0.14.1-2
Versions of packages lxqt-policykit recommends:
ii lxqt-policykit-l10n 0.14.1-1
Versions of packages lxqt-policykit suggests:
pn lxqt | lxqt-core <none>
-- no debconf information
More information about the pkg-lxqt-devel
mailing list