From ${URL} : It was reported that accountsservice invokes usermod with the -p parameter when calling SetPassword(), which can leak encrypted passwords locally (being that they are briefly visible via ps). As noted in the upstream bug: The relevant code is in src/user.c in the user_change_password_authorized_cb() function: argv[0] = "/usr/sbin/usermod"; argv[1] = "-p"; argv[2] = strings[0]; argv[3] = "--"; argv[4] = user->user_name; argv[5] = NULL; strings[0] has been set to the crypted password in user_set_password(). The crypted password has been passed from the client (ie: gnome-control-center). This has not yet been corrected upstream. References: https://bugs.freedesktop.org/show_bug.cgi?id=55000 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=757912 https://bugzilla.redhat.com/show_bug.cgi?id=1130538 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
From: https://bugzilla.redhat.com/show_bug.cgi?id=1130538 https://access.redhat.com/security/cve/CVE-2012-6655 The bug was labeled closed wontfix