[Bug 1767918] [NEW] Login password from GDM is shown in plain text on the VT1 console

Launchpad Bug Tracker 1767918 at bugs.launchpad.net
Tue Aug 28 01:53:03 UTC 2018 

*** This bug is a security vulnerability ***

You have been subscribed to a public security bug:

https://gitlab.gnome.org/GNOME/gdm/issues/408

---

I don't which package this applies to, but I believe the best bet is
GDM.

Steps to reproduce:
1) Log-in using X11 login via GDM.
2) Use the desktop for a while.  (For some reason I cannot reproduce if I login and then restart after a short while).
3) In Gnome click System menu -> Power Button -> Restart
4) Quickly press CTRL-ALT-F1
5) I see my login password in plain text in the console.  Once I saw the login password repeated twice.

See attached photo with the login password blanked out.  Below the
password is the console cursor.

## lsb_release -rd
Description:	Ubuntu 18.04 LTS
Release:	18.04

## apt-cache policy gdm3
gdm3:
  Installed: 3.28.0-0ubuntu1
  Candidate: 3.28.0-0ubuntu1
  Version table:
 *** 3.28.0-0ubuntu1 500
        500 http://nz.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
        100 /var/lib/dpkg/status

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: gdm3 3.28.0-0ubuntu1
ProcVersionSignature: Ubuntu 4.15.0-18.19-generic 4.15.17
Uname: Linux 4.15.0-18-generic x86_64
ApportVersion: 2.20.9-0ubuntu7
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Mon Apr 30 14:54:07 2018
InstallationDate: Installed on 2018-04-13 (17 days ago)
InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Beta amd64 (20180404)
SourcePackage: gdm3
UpgradeStatus: No upgrade log present (probably fresh install)

** Affects: gdm3 (Ubuntu)
     Importance: High
         Status: Confirmed

** Affects: gnome-shell (Ubuntu)
     Importance: High
         Status: Confirmed

** Affects: plymouth (Ubuntu)
     Importance: High
         Status: Confirmed


** Tags: amd64 apport-bug bionic fall-through
-- 
Login password from GDM is shown in plain text on the VT1 console
https://bugs.launchpad.net/bugs/1767918
You received this bug notification because you are a member of Ubuntu Foundations Bugs, which is subscribed to plymouth in Ubuntu.

More information about the foundations-bugs mailing list