http://bugzilla.opensuse.org/show_bug.cgi?id=1090856 Bug ID: 1090856 Summary: Requesting audit of pam_kwallet Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: fvogt@suse.com QA Contact: qa-bugs@suse.de CC: lbeltrame@kde.org Found By: --- Blocker: --- pam_kwallet (https://cgit.kde.org/kwallet-pam.git) can be used to unlock the KDE wallet (password storage) using the password during login. It's included in the distro for a while now and was never properly reviewed by the security team as there is no such requirement for PAM modules. IMO a review should be done. It's a fairly small PAM module (plain C) which reads the password using PAM, computes the hash used as the encryption key, drops privileges and starts kwalletd with the key written into a pipe. -- You are receiving this mail because: You are on the CC list for the bug.