Bug#729683: gnome-orca: orca reads password text entries aloud

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 729683@bugs.debian.org, Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#729683: gnome-orca: orca reads password text entries aloud
From: Joanmarie Diggs <jdiggs@igalia.com>
Date: Sun, 17 Nov 2013 13:57:01 -0500
Message-id: <[🔎] 5289117D.5000509@igalia.com>
Reply-to: Joanmarie Diggs <jdiggs@igalia.com>, 729683@bugs.debian.org
In-reply-to: <[🔎] 20131115190448.2813.19951.reportbug@wheezy.fifthhorseman.net>
References: <[🔎] 20131115190448.2813.19951.reportbug@wheezy.fifthhorseman.net>

Already fixed in Clutter:
https://git.gnome.org/browse/clutter/commit/?id=ccea1644ba81593fd19a772048e91909962ef570

--joanie

On 11/15/2013 02:04 PM, Daniel Kahn Gillmor wrote:
> Package: gnome-orca
> Version: 3.4.2-2
> Severity: normal
> 
> Hi Orca folks--
> 
> It looks like the gnome screen-reader reads back every key pressed
> into a password text entry field.  If the computer in question has
> public audio enabled, this effectively reads the user's password aloud
> to anyone else in the room.
> 
> Most egregiously, this happens in the gdm3 login greeter during
> password entry.  This is particularly bad because anyone (without
> authentication) can enable the screen reader for the gdm3 greeter via
> the accessibility menu (see http://bugs.debian.org/689559), and leave
> it that way for the next person who logs in.
> 
> I note that sometimes (i haven't been able to track down what the
> difference is), gnome does read each character of the password text as
> "asterisk".  that's clumsy, but it's way better from a security point
> of view than the behavior i'm currently seeing (hearing).
> 
> To reproduce the problem, i launched a kvm guest with a minimal wheezy
> install, then installed (without Recommends):
> 
>  xserver-xorg orca gnome-orca pulseaudio pulseaudio-module-x11 xbrlapi
>  gnome-mag libbonobo2-bin speech-dispatcher-festival festvox-kallpc16k
>  sox sound-icons openbox at-spi2-core desktop-base
>  gnome-icon-theme-symbolic
> 
> and then, finally:
> 
>  apt-get install gdm3
> 
> It seems likely that an even more minimalist config could reproduce
> the problem too.
> 
>    --dkg
> 
> -- System Information:
> Debian Release: 7.2
>   APT prefers stable-updates
>   APT policy: (500, 'stable-updates'), (500, 'stable')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> 
> Versions of packages gnome-orca depends on:
> ii  gir1.2-gtk-3.0     3.4.2-6
> ii  gir1.2-pango-1.0   1.30.0-1
> ii  gir1.2-wnck-3.0    3.4.2-1
> ii  python             2.7.3-4+deb7u1
> ii  python-brlapi      4.4-10+deb7u1
> ii  python-cairo       1.8.8-1+b2
> ii  python-dbus        1.1.1-1
> ii  python-gi          3.2.2-2
> ii  python-louis       2.4.1-1
> ii  python-pyatspi2    2.5.3+dfsg-3
> ii  python-speechd     0.7.1-6.2
> ii  python-support     1.0.15
> ii  python-xdg         0.19-5
> ii  speech-dispatcher  0.7.1-6.2
> 
> Versions of packages gnome-orca recommends:
> ii  gnome-mag  1:0.16.3-1
> ii  wget       1.13.4-3
> ii  xbrlapi    4.4-10+deb7u1
> 
> gnome-orca suggests no packages.
> 
> -- no debconf information
> 
>

Reply to:

Follow-Ups:
- Bug#729683: gnome-orca: orca reads password text entries aloud
  - From: Joanmarie Diggs <jdiggs@igalia.com>

References:
- Bug#729683: gnome-orca: orca reads password text entries aloud
  - From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Prev by Date: wxWidgets 3.0 - espeakedit fixes
Next by Date: Bug#729683: gnome-orca: orca reads password text entries aloud
Previous by thread: Bug#729683: gnome-orca: orca reads password text entries aloud
Next by thread: Bug#729683: gnome-orca: orca reads password text entries aloud
Index(es):
- Date
- Thread