CVE-2012-6111
https://notcve.org/view.php?id=CVE-2012-6111
gnome-keyring does not discard stored secrets when using gnome_keyring_lock_all_sync function gnome-keyring no descarta los secretos almacenados cuando se usa la función gnome_keyring_lock_all_sync. • http://www.openwall.com/lists/oss-security/2013/01/17/4 https://access.redhat.com/security/cve/cve-2012-6111 https://bugzilla.gnome.org/show_bug.cgi?id=690466 https://security-tracker.debian.org/tracker/CVE-2012-6111 • CWE-20: Improper Input Validation •
CVE-2018-20781
https://notcve.org/view.php?id=CVE-2018-20781
In pam/gkr-pam-module.c in GNOME Keyring before 3.27.2, the user's password is kept in a session-child process spawned from the LightDM daemon. This can expose the credential in cleartext. En pam/gkr-pam-module.c en GNOME Keyring, en versiones anteriores a la 3.27.2, la contraseña del usuario se mantiene en un proceso hijo de sesión que se genera en el demonio LightDM. Esto puede exponer las credenciales en texto claro. • https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/1772919 https://bugzilla.gnome.org/show_bug.cgi?id=781486 https://github.com/huntergregal/mimipenguin https://github.com/huntergregal/mimipenguin/tree/d95f1e08ce79783794f38433bbf7de5abd9792da https://gitlab.gnome.org/GNOME/gnome-keyring/issues/3 https://gitlab.gnome.org/GNOME/gnome-keyring/tags/3.27.2 https://usn.ubuntu.com/3894-1 https://www.oracle.com/security-alerts/cpujan2021.html • CWE-522: Insufficiently Protected Credentials •
CVE-2018-19358
https://notcve.org/view.php?id=CVE-2018-19358
GNOME Keyring through 3.28.2 allows local users to retrieve login credentials via a Secret Service API call and the D-Bus interface if the keyring is unlocked, a similar issue to CVE-2008-7320. One perspective is that this occurs because available D-Bus protection mechanisms (involving the busconfig and policy XML elements) are not used. NOTE: the vendor disputes this because, according to the security model, untrusted applications must not be allowed to access the user's session bus socket. GNOME Keyring hasta la versión 3.28.2 permite que usuarios locales recuperen las credenciales de inicio de sesión mediante una llamada API Secret Service y la interfaz D-Bus si el keyring está desbloqueado. Este problema es similar a CVE-2008-7320. • https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/1780365 https://bugzilla.redhat.com/show_bug.cgi?id=1652194#c8 https://github.com/sungjungk/keyring_crack https://gitlab.gnome.org/GNOME/gnome-keyring/-/issues/5#note_1876550 https://www.youtube.com/watch?v=Do4E9ZQaPck •
CVE-2012-3466
https://notcve.org/view.php?id=CVE-2012-3466
GNOME gnome-keyring 3.4.0 through 3.4.1, when gpg-cache-method is set to "idle" or "timeout," does not properly limit the amount of time a passphrase is cached, which allows attackers to have an unspecified impact via unknown attack vectors. GNOME gnome-keyring v3.4.0 hasta v3.4.1, cuando gpg-cache-method se establece en "idle" o "timeout", no limita correctamente la cantidad de tiempo que una contraseña se almacena en caché, lo que permite a los atacantes tener un impacto no especificado a través de vectores de ataque desconocidos. • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683655 http://git.gnome.org/browse/gnome-keyring/commit/?id=51606f299e5ee9d48096db0a5957efe26cbf7cc3 http://git.gnome.org/browse/gnome-keyring/commit/?id=5dff623470b859e332dbe12afb0dc57b292832d2 http://lists.opensuse.org/opensuse-updates/2012-09/msg00037.html http://www.mandriva.com/security/advisories?name=MDVSA-2013:084 http://www.openwall.com/lists/oss-security/2012/08/09/1 http://www.openwall.com/lists/oss-security/2012/08/09/2 https:// • CWE-264: Permissions, Privileges, and Access Controls •