[Dx-packages] [Bug 1308572] Re: Ubuntu 14.04: security problem in the lock screen
Just another sidenote: I'm unaffected by this bug, because I always use xscreensaver instead of those newer unsecure rewrites. People concerned about security might want to read the http://www.jwz.org/blog/2014/04/the-awful-thing-about-getting-it-right-the-first-time-is-that-nobody-realizes-how-hard-it-was/ blog post of Jamie Zawinski who has written xscreensaver. -- You received this bug notification because you are a member of DX Packages, which is subscribed to unity in Ubuntu. Matching subscriptions: dx-packages https://bugs.launchpad.net/bugs/1308572 Title: Ubuntu 14.04: security problem in the lock screen Status in Unity: Fix Released Status in “unity” package in Ubuntu: Fix Released Bug description: affects ubuntu Hello, I am running Ubuntu 14.04 with all the packages updated. When the screen is locked with password, if I hold ENTER after some seconds the screen freezes and the lock screen crashes. After that I have the computer fully unlocked. -- Marco Agnese This bug is about the lockscreen being bypassed when unity crashes/restarts, which is a critcal security issue. The crash will be handled from bug 1308750 To manage notifications about this bug go to: https://bugs.launchpad.net/unity/+bug/1308572/+subscriptions -- Mailing list: https://launchpad.net/~dx-packages Post to : dx-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~dx-packages More help : https://help.launchpad.net/ListHelp
[Dx-packages] [Bug 1308572] Re: Ubuntu 14.04: security problem in the lock screen
Just a sidenote: Unlike what the sensationalist article at heise.de from today suggests (which links here), this bug was fixed in a heroc effort over night *before* final release, the fix is on the 14.04 image that was released to end users. -- You received this bug notification because you are a member of DX Packages, which is subscribed to unity in Ubuntu. Matching subscriptions: dx-packages https://bugs.launchpad.net/bugs/1308572 Title: Ubuntu 14.04: security problem in the lock screen Status in Unity: Fix Released Status in “unity” package in Ubuntu: Fix Released Bug description: affects ubuntu Hello, I am running Ubuntu 14.04 with all the packages updated. When the screen is locked with password, if I hold ENTER after some seconds the screen freezes and the lock screen crashes. After that I have the computer fully unlocked. -- Marco Agnese This bug is about the lockscreen being bypassed when unity crashes/restarts, which is a critcal security issue. The crash will be handled from bug 1308750 To manage notifications about this bug go to: https://bugs.launchpad.net/unity/+bug/1308572/+subscriptions -- Mailing list: https://launchpad.net/~dx-packages Post to : dx-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~dx-packages More help : https://help.launchpad.net/ListHelp
[Dx-packages] [Bug 1308572] Re: Ubuntu 14.04: security problem in the lock screen
This Lock Screen bug is just one of many unfixed security issues. Below is another long-standing issue that also allows one to bypass the lock screen... https://bugs.launchpad.net/ubuntu/+source/gnome-screensaver/+bug/49579 -- You received this bug notification because you are a member of DX Packages, which is subscribed to unity in Ubuntu. Matching subscriptions: dx-packages https://bugs.launchpad.net/bugs/1308572 Title: Ubuntu 14.04: security problem in the lock screen Status in Unity: Fix Released Status in “unity” package in Ubuntu: Fix Released Bug description: affects ubuntu Hello, I am running Ubuntu 14.04 with all the packages updated. When the screen is locked with password, if I hold ENTER after some seconds the screen freezes and the lock screen crashes. After that I have the computer fully unlocked. -- Marco Agnese This bug is about the lockscreen being bypassed when unity crashes/restarts, which is a critcal security issue. The crash will be handled from bug 1308750 To manage notifications about this bug go to: https://bugs.launchpad.net/unity/+bug/1308572/+subscriptions -- Mailing list: https://launchpad.net/~dx-packages Post to : dx-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~dx-packages More help : https://help.launchpad.net/ListHelp
[Dx-packages] [Bug 1308572] Re: Ubuntu 14.04: security problem in the lock screen
@kristian-erik-hermansen Cool find, but utterly irrelevant here. That bug is about users blindly trusting the screen to auto-lock (which they _should be able to_). This bug is about the trust being broken even after they _verified_ that they had _explicitly_ locked their screens. That's (a) a very different issue (b) a very different severity of failure. -- You received this bug notification because you are a member of DX Packages, which is subscribed to unity in Ubuntu. Matching subscriptions: dx-packages https://bugs.launchpad.net/bugs/1308572 Title: Ubuntu 14.04: security problem in the lock screen Status in Unity: Fix Released Status in “unity” package in Ubuntu: Fix Released Bug description: affects ubuntu Hello, I am running Ubuntu 14.04 with all the packages updated. When the screen is locked with password, if I hold ENTER after some seconds the screen freezes and the lock screen crashes. After that I have the computer fully unlocked. -- Marco Agnese This bug is about the lockscreen being bypassed when unity crashes/restarts, which is a critcal security issue. The crash will be handled from bug 1308750 To manage notifications about this bug go to: https://bugs.launchpad.net/unity/+bug/1308572/+subscriptions -- Mailing list: https://launchpad.net/~dx-packages Post to : dx-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~dx-packages More help : https://help.launchpad.net/ListHelp
[Dx-packages] [Bug 1308572] Re: Ubuntu 14.04: security problem in the lock screen
Yes, bug 49579 won't get fixed until we move away from xorg into Mir... -- You received this bug notification because you are a member of DX Packages, which is subscribed to unity in Ubuntu. Matching subscriptions: dx-packages https://bugs.launchpad.net/bugs/1308572 Title: Ubuntu 14.04: security problem in the lock screen Status in Unity: Fix Released Status in “unity” package in Ubuntu: Fix Released Bug description: affects ubuntu Hello, I am running Ubuntu 14.04 with all the packages updated. When the screen is locked with password, if I hold ENTER after some seconds the screen freezes and the lock screen crashes. After that I have the computer fully unlocked. -- Marco Agnese This bug is about the lockscreen being bypassed when unity crashes/restarts, which is a critcal security issue. The crash will be handled from bug 1308750 To manage notifications about this bug go to: https://bugs.launchpad.net/unity/+bug/1308572/+subscriptions -- Mailing list: https://launchpad.net/~dx-packages Post to : dx-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~dx-packages More help : https://help.launchpad.net/ListHelp
[Dx-packages] [Bug 1308572] Re: Ubuntu 14.04: security problem in the lock screen
** Changed in: unity Status: In Progress = Fix Committed ** Tags added: lockscreen -- You received this bug notification because you are a member of DX Packages, which is subscribed to unity in Ubuntu. Matching subscriptions: dx-packages https://bugs.launchpad.net/bugs/1308572 Title: Ubuntu 14.04: security problem in the lock screen Status in Unity: Fix Committed Status in “unity” package in Ubuntu: Fix Released Bug description: affects ubuntu Hello, I am running Ubuntu 14.04 with all the packages updated. When the screen is locked with password, if I hold ENTER after some seconds the screen freezes and the lock screen crashes. After that I have the computer fully unlocked. -- Marco Agnese This bug is about the lockscreen being bypassed when unity crashes/restarts, which is a critcal security issue. The crash will be handled from bug 1308750 To manage notifications about this bug go to: https://bugs.launchpad.net/unity/+bug/1308572/+subscriptions -- Mailing list: https://launchpad.net/~dx-packages Post to : dx-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~dx-packages More help : https://help.launchpad.net/ListHelp
[Dx-packages] [Bug 1308572] Re: Ubuntu 14.04: security problem in the lock screen
** Changed in: unity Status: Fix Committed = Fix Released -- You received this bug notification because you are a member of DX Packages, which is subscribed to unity in Ubuntu. Matching subscriptions: dx-packages https://bugs.launchpad.net/bugs/1308572 Title: Ubuntu 14.04: security problem in the lock screen Status in Unity: Fix Released Status in “unity” package in Ubuntu: Fix Released Bug description: affects ubuntu Hello, I am running Ubuntu 14.04 with all the packages updated. When the screen is locked with password, if I hold ENTER after some seconds the screen freezes and the lock screen crashes. After that I have the computer fully unlocked. -- Marco Agnese This bug is about the lockscreen being bypassed when unity crashes/restarts, which is a critcal security issue. The crash will be handled from bug 1308750 To manage notifications about this bug go to: https://bugs.launchpad.net/unity/+bug/1308572/+subscriptions -- Mailing list: https://launchpad.net/~dx-packages Post to : dx-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~dx-packages More help : https://help.launchpad.net/ListHelp
[Dx-packages] [Bug 1308572] Re: Ubuntu 14.04: security problem in the lock screen
** Package changed: gnome-screensaver (Ubuntu) = unity (Ubuntu) -- You received this bug notification because you are a member of DX Packages, which is subscribed to unity in Ubuntu. Matching subscriptions: dx-packages https://bugs.launchpad.net/bugs/1308572 Title: Ubuntu 14.04: security problem in the lock screen Status in Unity: Triaged Status in “unity” package in Ubuntu: Triaged Bug description: affects ubuntu Hello, I am running Ubuntu 14.04 with all the packages updated. When the screen is locked with password, if I hold ENTER after some seconds the screen freezes and the lock screen crashes. After that I have the computer fully unlocked. -- Marco Agnese To manage notifications about this bug go to: https://bugs.launchpad.net/unity/+bug/1308572/+subscriptions -- Mailing list: https://launchpad.net/~dx-packages Post to : dx-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~dx-packages More help : https://help.launchpad.net/ListHelp
[Dx-packages] [Bug 1308572] Re: Ubuntu 14.04: security problem in the lock screen
** Also affects: unity Importance: Undecided Status: New ** Changed in: unity Status: New = Triaged ** Changed in: unity (Ubuntu) Status: New = Triaged ** Changed in: unity Importance: Undecided = Critical ** Changed in: unity (Ubuntu) Importance: Undecided = Critical -- You received this bug notification because you are a member of DX Packages, which is subscribed to unity in Ubuntu. Matching subscriptions: dx-packages https://bugs.launchpad.net/bugs/1308572 Title: Ubuntu 14.04: security problem in the lock screen Status in Unity: Triaged Status in “unity” package in Ubuntu: Triaged Bug description: affects ubuntu Hello, I am running Ubuntu 14.04 with all the packages updated. When the screen is locked with password, if I hold ENTER after some seconds the screen freezes and the lock screen crashes. After that I have the computer fully unlocked. -- Marco Agnese To manage notifications about this bug go to: https://bugs.launchpad.net/unity/+bug/1308572/+subscriptions -- Mailing list: https://launchpad.net/~dx-packages Post to : dx-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~dx-packages More help : https://help.launchpad.net/ListHelp
[Dx-packages] [Bug 1308572] Re: Ubuntu 14.04: security problem in the lock screen
To be clear, the always restart locked half of the fix is the more important bit. The crash is embarrassing, but crashes will happen, and we'll find others. Having it restart unlocked is bordering on unforgivable, and we should focus on fixing that first. -- You received this bug notification because you are a member of DX Packages, which is subscribed to unity in Ubuntu. Matching subscriptions: dx-packages https://bugs.launchpad.net/bugs/1308572 Title: Ubuntu 14.04: security problem in the lock screen Status in Unity: In Progress Status in “unity” package in Ubuntu: In Progress Bug description: affects ubuntu Hello, I am running Ubuntu 14.04 with all the packages updated. When the screen is locked with password, if I hold ENTER after some seconds the screen freezes and the lock screen crashes. After that I have the computer fully unlocked. -- Marco Agnese To manage notifications about this bug go to: https://bugs.launchpad.net/unity/+bug/1308572/+subscriptions -- Mailing list: https://launchpad.net/~dx-packages Post to : dx-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~dx-packages More help : https://help.launchpad.net/ListHelp
[Dx-packages] [Bug 1308572] Re: Ubuntu 14.04: security problem in the lock screen
** Description changed: affects ubuntu Hello, I am running Ubuntu 14.04 with all the packages updated. When the screen is locked with password, if I hold ENTER after some seconds the screen freezes and the lock screen crashes. After that I have the computer fully unlocked. -- Marco Agnese + + This bug is about the lockscreen being bypassed when unity + crashes/restarts, which is a critcal security issue. The crash will be + handled from bug 1308750 ** Changed in: unity Assignee: Brandon Schaefer (brandontschaefer) = (unassigned) ** Changed in: unity Assignee: (unassigned) = Marco Trevisan (Treviño) (3v1n0) ** Changed in: unity (Ubuntu) Assignee: Brandon Schaefer (brandontschaefer) = Marco Trevisan (Treviño) (3v1n0) -- You received this bug notification because you are a member of DX Packages, which is subscribed to unity in Ubuntu. Matching subscriptions: dx-packages https://bugs.launchpad.net/bugs/1308572 Title: Ubuntu 14.04: security problem in the lock screen Status in Unity: In Progress Status in “unity” package in Ubuntu: In Progress Bug description: affects ubuntu Hello, I am running Ubuntu 14.04 with all the packages updated. When the screen is locked with password, if I hold ENTER after some seconds the screen freezes and the lock screen crashes. After that I have the computer fully unlocked. -- Marco Agnese This bug is about the lockscreen being bypassed when unity crashes/restarts, which is a critcal security issue. The crash will be handled from bug 1308750 To manage notifications about this bug go to: https://bugs.launchpad.net/unity/+bug/1308572/+subscriptions -- Mailing list: https://launchpad.net/~dx-packages Post to : dx-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~dx-packages More help : https://help.launchpad.net/ListHelp
[Dx-packages] [Bug 1308572] Re: Ubuntu 14.04: security problem in the lock screen
** Changed in: unity Assignee: Marco Trevisan (Treviño) (3v1n0) = Andrea Azzarone (andyrock) ** Changed in: unity (Ubuntu) Assignee: Marco Trevisan (Treviño) (3v1n0) = Andrea Azzarone (andyrock) ** Changed in: unity Milestone: None = 7.2.1 -- You received this bug notification because you are a member of DX Packages, which is subscribed to unity in Ubuntu. Matching subscriptions: dx-packages https://bugs.launchpad.net/bugs/1308572 Title: Ubuntu 14.04: security problem in the lock screen Status in Unity: In Progress Status in “unity” package in Ubuntu: In Progress Bug description: affects ubuntu Hello, I am running Ubuntu 14.04 with all the packages updated. When the screen is locked with password, if I hold ENTER after some seconds the screen freezes and the lock screen crashes. After that I have the computer fully unlocked. -- Marco Agnese This bug is about the lockscreen being bypassed when unity crashes/restarts, which is a critcal security issue. The crash will be handled from bug 1308750 To manage notifications about this bug go to: https://bugs.launchpad.net/unity/+bug/1308572/+subscriptions -- Mailing list: https://launchpad.net/~dx-packages Post to : dx-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~dx-packages More help : https://help.launchpad.net/ListHelp
[Dx-packages] [Bug 1308572] Re: Ubuntu 14.04: security problem in the lock screen
** Branch linked: lp:~andyrock/unity/fix-1308572 -- You received this bug notification because you are a member of DX Packages, which is subscribed to unity in Ubuntu. Matching subscriptions: dx-packages https://bugs.launchpad.net/bugs/1308572 Title: Ubuntu 14.04: security problem in the lock screen Status in Unity: In Progress Status in “unity” package in Ubuntu: In Progress Bug description: affects ubuntu Hello, I am running Ubuntu 14.04 with all the packages updated. When the screen is locked with password, if I hold ENTER after some seconds the screen freezes and the lock screen crashes. After that I have the computer fully unlocked. -- Marco Agnese This bug is about the lockscreen being bypassed when unity crashes/restarts, which is a critcal security issue. The crash will be handled from bug 1308750 To manage notifications about this bug go to: https://bugs.launchpad.net/unity/+bug/1308572/+subscriptions -- Mailing list: https://launchpad.net/~dx-packages Post to : dx-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~dx-packages More help : https://help.launchpad.net/ListHelp
[Dx-packages] [Bug 1308572] Re: Ubuntu 14.04: security problem in the lock screen
** Branch linked: lp:~3v1n0/unity/relocks-on-crashes -- You received this bug notification because you are a member of DX Packages, which is subscribed to unity in Ubuntu. Matching subscriptions: dx-packages https://bugs.launchpad.net/bugs/1308572 Title: Ubuntu 14.04: security problem in the lock screen Status in Unity: In Progress Status in “unity” package in Ubuntu: In Progress Bug description: affects ubuntu Hello, I am running Ubuntu 14.04 with all the packages updated. When the screen is locked with password, if I hold ENTER after some seconds the screen freezes and the lock screen crashes. After that I have the computer fully unlocked. -- Marco Agnese This bug is about the lockscreen being bypassed when unity crashes/restarts, which is a critcal security issue. The crash will be handled from bug 1308750 To manage notifications about this bug go to: https://bugs.launchpad.net/unity/+bug/1308572/+subscriptions -- Mailing list: https://launchpad.net/~dx-packages Post to : dx-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~dx-packages More help : https://help.launchpad.net/ListHelp
[Dx-packages] [Bug 1308572] Re: Ubuntu 14.04: security problem in the lock screen
So both the linked branches built in silo 8, and when I tested it, this is what I found: 1. start unity 2. open terminal (Ctrl+alt+T) 3. type 'sleep 15 killall -9 compiz' 4. lock screen observe: screen locks, then unity crashes, then unity restarts locked. so far so good. 5. issue the same command in the terminal again 6. lock the screen again observe: screen locks, then unity crashes... and doesn't come back. I'm told this is not a regression (eg it's known that unity does not restart after the first crash) however this is significant because when unity does not restart, that terminal just stays open right there, and while it doesn't respond to keyboard input, it does respond to mouse input, so it's possible to issue commands as the logged-in user by copy pasting (eg, select some text, right click - copy, right click - paste). So if I'm an attacker and I'm in a position to trigger a crash in compiz, the whole restarting locked thing seems kind of weak, because all I have to do is crash compiz... twice. Granted the unity-free UI is quite limited, maybe there's a browser open and I can access the user's email, or whatever. it's still an attack vector. -- You received this bug notification because you are a member of DX Packages, which is subscribed to unity in Ubuntu. Matching subscriptions: dx-packages https://bugs.launchpad.net/bugs/1308572 Title: Ubuntu 14.04: security problem in the lock screen Status in Unity: In Progress Status in “unity” package in Ubuntu: In Progress Bug description: affects ubuntu Hello, I am running Ubuntu 14.04 with all the packages updated. When the screen is locked with password, if I hold ENTER after some seconds the screen freezes and the lock screen crashes. After that I have the computer fully unlocked. -- Marco Agnese This bug is about the lockscreen being bypassed when unity crashes/restarts, which is a critcal security issue. The crash will be handled from bug 1308750 To manage notifications about this bug go to: https://bugs.launchpad.net/unity/+bug/1308572/+subscriptions -- Mailing list: https://launchpad.net/~dx-packages Post to : dx-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~dx-packages More help : https://help.launchpad.net/ListHelp
[Dx-packages] [Bug 1308572] Re: Ubuntu 14.04: security problem in the lock screen
** Branch unlinked: lp:~3v1n0/unity/relocks-on-crashes -- You received this bug notification because you are a member of DX Packages, which is subscribed to unity in Ubuntu. Matching subscriptions: dx-packages https://bugs.launchpad.net/bugs/1308572 Title: Ubuntu 14.04: security problem in the lock screen Status in Unity: In Progress Status in “unity” package in Ubuntu: In Progress Bug description: affects ubuntu Hello, I am running Ubuntu 14.04 with all the packages updated. When the screen is locked with password, if I hold ENTER after some seconds the screen freezes and the lock screen crashes. After that I have the computer fully unlocked. -- Marco Agnese This bug is about the lockscreen being bypassed when unity crashes/restarts, which is a critcal security issue. The crash will be handled from bug 1308750 To manage notifications about this bug go to: https://bugs.launchpad.net/unity/+bug/1308572/+subscriptions -- Mailing list: https://launchpad.net/~dx-packages Post to : dx-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~dx-packages More help : https://help.launchpad.net/ListHelp
[Dx-packages] [Bug 1308572] Re: Ubuntu 14.04: security problem in the lock screen
This bug was fixed in the package unity - 7.2.0+14.04.20140416-0ubuntu1 --- unity (7.2.0+14.04.20140416-0ubuntu1) trusty; urgency=low [ Andrea Azzarone ] * Do not allow to activate twice the same entry! (LP: #1308572) [ Marco Trevisan (Treviño) ] * UnityScreen: save a locked.stamp file when locking/unlocking, to relock on startup This makes unity to relocks if it was locked before crashing... (LP: #1308572) -- Ubuntu daily release ps-jenk...@lists.canonical.com Wed, 16 Apr 2014 22:41:19 + ** Changed in: unity (Ubuntu) Status: In Progress = Fix Released -- You received this bug notification because you are a member of DX Packages, which is subscribed to unity in Ubuntu. Matching subscriptions: dx-packages https://bugs.launchpad.net/bugs/1308572 Title: Ubuntu 14.04: security problem in the lock screen Status in Unity: In Progress Status in “unity” package in Ubuntu: Fix Released Bug description: affects ubuntu Hello, I am running Ubuntu 14.04 with all the packages updated. When the screen is locked with password, if I hold ENTER after some seconds the screen freezes and the lock screen crashes. After that I have the computer fully unlocked. -- Marco Agnese This bug is about the lockscreen being bypassed when unity crashes/restarts, which is a critcal security issue. The crash will be handled from bug 1308750 To manage notifications about this bug go to: https://bugs.launchpad.net/unity/+bug/1308572/+subscriptions -- Mailing list: https://launchpad.net/~dx-packages Post to : dx-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~dx-packages More help : https://help.launchpad.net/ListHelp
[Dx-packages] [Bug 1308572] Re: Ubuntu 14.04: security problem in the lock screen
robru: the fact that unity doesn't reload properly after some crashes it's related to to bug #1308800 (it seems upstart is not loading unity, so gnome-session is not reliable at all for this). -- You received this bug notification because you are a member of DX Packages, which is subscribed to unity in Ubuntu. Matching subscriptions: dx-packages https://bugs.launchpad.net/bugs/1308572 Title: Ubuntu 14.04: security problem in the lock screen Status in Unity: In Progress Status in “unity” package in Ubuntu: Fix Released Bug description: affects ubuntu Hello, I am running Ubuntu 14.04 with all the packages updated. When the screen is locked with password, if I hold ENTER after some seconds the screen freezes and the lock screen crashes. After that I have the computer fully unlocked. -- Marco Agnese This bug is about the lockscreen being bypassed when unity crashes/restarts, which is a critcal security issue. The crash will be handled from bug 1308750 To manage notifications about this bug go to: https://bugs.launchpad.net/unity/+bug/1308572/+subscriptions -- Mailing list: https://launchpad.net/~dx-packages Post to : dx-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~dx-packages More help : https://help.launchpad.net/ListHelp