gnome-keyring does not obey the configuration asking it to stop caching passphrases after a while. More details and patches available at the following references: https://bugzilla.gnome.org/show_bug.cgi?id=681081 https://bugzilla.redhat.com/show_bug.cgi?id=845426 Upstream bug suggests that this is a regression from 3.3.x. But it seems some older versions may also be affected. Reproducible: Always
This lists affected versions: https://bugzilla.gnome.org/show_bug.cgi?id=681081#c17
CVE-2012-3466 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3466): GNOME gnome-keyring 3.4.0 through 3.4.1, when gpg-cache-method is set to "idle" or "timeout," does not properly limit the amount of time a passphrase is cached, which allows attackers to have an unspecified impact via unknown attack vectors.
Fixed in 3.4.1-r1, sorry for forgetting about this bug for so long. >*gnome-keyring-3.4.1-r1 (24 Oct 2012) > > 24 Oct 2012; Alexandre Rostovtsev <tetromino@gentoo.org> > gnome-keyring-2.32.1.ebuild, gnome-keyring-2.32.1-r1.ebuild, > +files/gnome-keyring-2.32.1-glib-2.32.patch, gnome-keyring-3.2.2.ebuild, > gnome-keyring-3.4.1.ebuild, +gnome-keyring-3.4.1-r1.ebuild, > +files/gnome-keyring-3.4.1-gpg-cache-method-1.patch, > +files/gnome-keyring-3.4.1-gpg-cache-method-2.patch: > Fix gpg passwords being cached for longer than the user requested (bug > #430602, CVE-2012-3466, thanks to Jason A. Donenfeld and Pacho Ramos). Fix > 2.32.1-r1's build failure with glib-2.32 and gold. Drop useless doc USE flag: > in 2.x and 3.2.x, it only controlled document regeneration; in 3.4.x, it had > no effect at all. Update license.
(In reply to comment #3) > Fixed in 3.4.1-r1, sorry for forgetting about this bug for so long. > Thanks, Alexandre. Please don't forget to drop vulnerable versions. Re-rating ~4 for ~arch-only and closing noglsa.
