Bug#729683: gnome-orca: orca reads password text entries aloud

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 729683@bugs.debian.org, Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#729683: gnome-orca: orca reads password text entries aloud
From: Joanmarie Diggs <jdiggs@igalia.com>
Date: Sun, 17 Nov 2013 13:58:23 -0500
Message-id: <[🔎] 528911CF.4050505@igalia.com>
Reply-to: Joanmarie Diggs <jdiggs@igalia.com>, 729683@bugs.debian.org
In-reply-to: <[🔎] 5289117D.5000509@igalia.com>
References: <[🔎] 20131115190448.2813.19951.reportbug@wheezy.fifthhorseman.net> <[🔎] 5289117D.5000509@igalia.com>

Sorry to be spammy, but you'll also want this other Clutter commit:
https://git.gnome.org/browse/clutter/commit/?id=78a3590fd67338b63651fcf935aeeee4254ef1e1

On 11/17/2013 01:57 PM, Joanmarie Diggs wrote:
> Already fixed in Clutter:
> https://git.gnome.org/browse/clutter/commit/?id=ccea1644ba81593fd19a772048e91909962ef570
> 
> --joanie
> 
> On 11/15/2013 02:04 PM, Daniel Kahn Gillmor wrote:
>> Package: gnome-orca
>> Version: 3.4.2-2
>> Severity: normal
>>
>> Hi Orca folks--
>>
>> It looks like the gnome screen-reader reads back every key pressed
>> into a password text entry field.  If the computer in question has
>> public audio enabled, this effectively reads the user's password aloud
>> to anyone else in the room.
>>
>> Most egregiously, this happens in the gdm3 login greeter during
>> password entry.  This is particularly bad because anyone (without
>> authentication) can enable the screen reader for the gdm3 greeter via
>> the accessibility menu (see http://bugs.debian.org/689559), and leave
>> it that way for the next person who logs in.
>>
>> I note that sometimes (i haven't been able to track down what the
>> difference is), gnome does read each character of the password text as
>> "asterisk".  that's clumsy, but it's way better from a security point
>> of view than the behavior i'm currently seeing (hearing).
>>
>> To reproduce the problem, i launched a kvm guest with a minimal wheezy
>> install, then installed (without Recommends):
>>
>>  xserver-xorg orca gnome-orca pulseaudio pulseaudio-module-x11 xbrlapi
>>  gnome-mag libbonobo2-bin speech-dispatcher-festival festvox-kallpc16k
>>  sox sound-icons openbox at-spi2-core desktop-base
>>  gnome-icon-theme-symbolic
>>
>> and then, finally:
>>
>>  apt-get install gdm3
>>
>> It seems likely that an even more minimalist config could reproduce
>> the problem too.
>>
>>    --dkg
>>
>> -- System Information:
>> Debian Release: 7.2
>>   APT prefers stable-updates
>>   APT policy: (500, 'stable-updates'), (500, 'stable')
>> Architecture: amd64 (x86_64)
>>
>> Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
>> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
>> Shell: /bin/sh linked to /bin/dash
>>
>> Versions of packages gnome-orca depends on:
>> ii  gir1.2-gtk-3.0     3.4.2-6
>> ii  gir1.2-pango-1.0   1.30.0-1
>> ii  gir1.2-wnck-3.0    3.4.2-1
>> ii  python             2.7.3-4+deb7u1
>> ii  python-brlapi      4.4-10+deb7u1
>> ii  python-cairo       1.8.8-1+b2
>> ii  python-dbus        1.1.1-1
>> ii  python-gi          3.2.2-2
>> ii  python-louis       2.4.1-1
>> ii  python-pyatspi2    2.5.3+dfsg-3
>> ii  python-speechd     0.7.1-6.2
>> ii  python-support     1.0.15
>> ii  python-xdg         0.19-5
>> ii  speech-dispatcher  0.7.1-6.2
>>
>> Versions of packages gnome-orca recommends:
>> ii  gnome-mag  1:0.16.3-1
>> ii  wget       1.13.4-3
>> ii  xbrlapi    4.4-10+deb7u1
>>
>> gnome-orca suggests no packages.
>>
>> -- no debconf information
>>
>>
>

Reply to:

References:
- Bug#729683: gnome-orca: orca reads password text entries aloud
  - From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
- Bug#729683: gnome-orca: orca reads password text entries aloud
  - From: Joanmarie Diggs <jdiggs@igalia.com>

Prev by Date: Bug#729683: gnome-orca: orca reads password text entries aloud
Next by Date: Processed: tagging 729424
Previous by thread: Bug#729683: gnome-orca: orca reads password text entries aloud
Next by thread: wxWidgets 3.0 - espeakedit fixes
Index(es):
- Date
- Thread