[5902] in bugtraq
Re: visible passwd bug in kdm ?
daemon@ATHENA.MIT.EDU (Arnt Gulbrandsen)
Sat Jan 3 02:30:23 1998
Date: Sat, 3 Jan 1998 01:00:50 +0100
Reply-To: Arnt Gulbrandsen <agulbra@TROLL.NO>
From: Arnt Gulbrandsen <agulbra@TROLL.NO>
X-To: "J. Sean Connell" <ankh@canuck.gen.nz>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: "J. Sean Connell"'s message of "Mon, 15 Dec 1997 13:59:40 +1300
(NZDT)"
"J. Sean Connell" <ankh@canuck.gen.nz>
> On Wed, 10 Dec 1997, Sascha Runschke wrote:
>
> > it seems that there is a bug in the login procedure of the kdm environment.
> > If you type your passwd when prompted for it and afterwards try to mark the
> > invisible passwd with the mouse, it suddenly becomes visible.
> >
> > I don't think it's that dangerous, but there might be a situation where you
> > cannot end your login-sequence and someone else is able to access your
> > station.
> >
> > I did not check the code yet, because I do not use kdm. But maybe
> > I'll have a look later.
>
> I don't know about this exact problem, but there is a generic problem with
> Qt in this regard:
Which is almost certainly not the same problem. I expect the KDE
problem is a kdm-specific bug.
> A text entry field that has been set to "password" mode
> still permits selection (and therefore copying) of the plaintext contents.
> I spoke with Arnt Gulbrandsen at Troll Tech about this after discovering it
> myself while working on a nice GUI s/key calculator (email me if you're
> interested). I can't remember what he said about why it was that way, but
> after I pointed out that while under Windows inadvertent selection does not
> cause copy, it *does* under X - which makes accidentally pasting your
> password into the wrong window (or even having someone snoop it out of your
> server - yeah, this is rather unrealistic ;) trivially easy. He concurred
> and mumbled something about it being fixed in 1.4 or so.
As I remember it, I committed the fix to our CVS archive on the same
day that you convinced me:)
> Please note that I have no connection with Troll Tech other than being a
> personal friend of Arnt's, and that anything in the preceding paragraph
> could be wrong. Arnt, further comment from the proverbial horse's
> mouth? (And please don't shoot me ;)
Further comments would be off-topic on bugtraq, and niggles beside.
--Arnt (just now back from vacation)
