[fprint] I wonder whether disclosure of a fingerprint is a vulnerability or not.

Thu May 9 11:13:42 UTC 2019

You just thought so because of the following issue.

https://gitlab.freedesktop.org/libfprint/libfprint/merge_requests/47

Here, you insist that this is not a bug or there is no need to fix it.

But, it has been proven by another coordination platform that this is a
security issue.

It seems to be a hardware design/implementation issue, more than a driver
one.

Currently, I know that vendor is preparing this by providing firmware
updates/upgrades and driver patches including Linux and Windows.

Later, disclosure of this issue will take place, not by me.

BTW, you just said to me two times on upstream and Fedora bugzilla as
following:

“There are no short-term plans to fixing this. Any attempts at encrypting
the fingerprints would just be security through obscurity as the decryption
would need to be made available to fprintd and would therefore be available
to other processes.

The only way to currently safeguard the fingerprints is to run with
SELinux, AppArmor or another LSM enabled, and made sure that only the
fprintd binary has access to those saved fingerprints.”

It implies that fingerprints exposure should be protected but it is not
urgently needed (you may think that it just can cause a potential issue.).

Then, you described how to deal with it; currently encrypting the
fingerprints is hard to apply, but LSM will be more efficient.

This means that you regard fingerprints as a sensitive data, right?

Otherwise, you have no reason to protect fingerprints.

If so, isn’t it vulnerable what a sensitive data is located in local disk
not in the safety.

2019년 5월 9일 (목) 오후 6:22, Bastien Nocera <hadess at hadess.net>님이 작성:

> On Thu, 2019-05-09 at 18:09 +0900, Seong-Joong Kim wrote:
> > I am really sorry to bother you.
> > I didn't mean it.
> >
> > As you know, I've reported this issue to upstream on Mar 6, but you
> > did not reply to my report about a month.
>
> That's because you were already spamming me, privately, about a number
> of issues. I answered you privately before then.
>
> > So I just want to know about freedesktop's official? stance.
>
> There's no "freedesktop official stance" anymore than github would have
> an official stance on potential security problems with software it
> hosts.
>
> > If it is vulnerability, I would like to request a CVE ID about
> > information leakage after your confirmation.
>
> I don't think it is, as I've already said many times. I don't know how
> I can phrase it any better.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/fprint/attachments/20190509/588f9cd5/attachment-0001.html>