Bug#729683: gnome-orca: orca reads password text entries aloud

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#729683: gnome-orca: orca reads password text entries aloud
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Fri, 15 Nov 2013 14:04:48 -0500
Message-id: <[🔎] 20131115190448.2813.19951.reportbug@wheezy.fifthhorseman.net>
Reply-to: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 729683@bugs.debian.org

Package: gnome-orca
Version: 3.4.2-2
Severity: normal

Hi Orca folks--

It looks like the gnome screen-reader reads back every key pressed
into a password text entry field.  If the computer in question has
public audio enabled, this effectively reads the user's password aloud
to anyone else in the room.

Most egregiously, this happens in the gdm3 login greeter during
password entry.  This is particularly bad because anyone (without
authentication) can enable the screen reader for the gdm3 greeter via
the accessibility menu (see http://bugs.debian.org/689559), and leave
it that way for the next person who logs in.

I note that sometimes (i haven't been able to track down what the
difference is), gnome does read each character of the password text as
"asterisk".  that's clumsy, but it's way better from a security point
of view than the behavior i'm currently seeing (hearing).

To reproduce the problem, i launched a kvm guest with a minimal wheezy
install, then installed (without Recommends):

 xserver-xorg orca gnome-orca pulseaudio pulseaudio-module-x11 xbrlapi
 gnome-mag libbonobo2-bin speech-dispatcher-festival festvox-kallpc16k
 sox sound-icons openbox at-spi2-core desktop-base
 gnome-icon-theme-symbolic

and then, finally:

 apt-get install gdm3

It seems likely that an even more minimalist config could reproduce
the problem too.

   --dkg

-- System Information:
Debian Release: 7.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages gnome-orca depends on:
ii  gir1.2-gtk-3.0     3.4.2-6
ii  gir1.2-pango-1.0   1.30.0-1
ii  gir1.2-wnck-3.0    3.4.2-1
ii  python             2.7.3-4+deb7u1
ii  python-brlapi      4.4-10+deb7u1
ii  python-cairo       1.8.8-1+b2
ii  python-dbus        1.1.1-1
ii  python-gi          3.2.2-2
ii  python-louis       2.4.1-1
ii  python-pyatspi2    2.5.3+dfsg-3
ii  python-speechd     0.7.1-6.2
ii  python-support     1.0.15
ii  python-xdg         0.19-5
ii  speech-dispatcher  0.7.1-6.2

Versions of packages gnome-orca recommends:
ii  gnome-mag  1:0.16.3-1
ii  wget       1.13.4-3
ii  xbrlapi    4.4-10+deb7u1

gnome-orca suggests no packages.

-- no debconf information

Reply to:

Follow-Ups:
- Bug#729683: gnome-orca: orca reads password text entries aloud
  - From: Joanmarie Diggs <jdiggs@igalia.com>

Prev by Date: Bug#724695: brltty: initramfs hook copies /proc/mounts to /etc/mtab
Next by Date: wxWidgets 3.0 - espeakedit fixes
Previous by thread: Bug#729424: svox: [PATCH] Resolve FTBFS with link order
Next by thread: Bug#729683: gnome-orca: orca reads password text entries aloud
Index(es):
- Date
- Thread