HUD "Super" and "Alt" shortcuts works through locked screen
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Unity |
Fix Released
|
High
|
Andrea Azzarone | ||
hud (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
unity (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
To reproduce:
1. Lock screen (e.g. using Ctrl+Alt+L or corresponding option in menu).
2. Press Super (or Alt) key.
3. Enter password to unlock desktop.
Expected behaviour: nothing on desktop should be changed.
Observed behaviour: HUD menu pupped up, as if Alt or Super were pressed on desktop.
I mark this bug report as security issue, because not sure is Super and Alt keys are only shortcuts that being passed to desktop, if other keys can be passed to desktop in any way it would be possible to run some command through HUD.
ProblemType: Bug
DistroRelease: Ubuntu 13.10
Package: hud 13.10.1+
ProcVersionSign
Uname: Linux 3.11.0-15-generic x86_64
ApportVersion: 2.12.5-0ubuntu2.2
Architecture: amd64
CheckboxSubmission: 3d16077c4fdd6a0
CheckboxSystem: b633b4f40868d49
Date: Mon Jan 6 17:18:05 2014
InstallationDate: Installed on 2014-01-01 (4 days ago)
InstallationMedia: Ubuntu 13.10 "Saucy Salamander" - Release amd64 (20131016.1)
MarkForUpload: True
SourcePackage: hud
UpgradeStatus: No upgrade log present (probably fresh install)
Related branches
- Marco Trevisan (Treviño): Approve
- PS Jenkins bot (community): Approve (continuous-integration)
- Robert Ancell: Approve
- Sebastien Bacher: Needs Information
-
Diff: 5118 lines (+3653/-167)80 files modifiedCMakeLists.txt (+2/-0)
UnityCore/DBusIndicators.cpp (+7/-2)
UnityCore/DBusIndicators.h (+5/-1)
UnityCore/GnomeSessionManager.cpp (+30/-12)
UnityCore/GnomeSessionManager.h (+1/-0)
UnityCore/GnomeSessionManagerImpl.h (+1/-0)
UnityCore/SessionManager.h (+5/-0)
debian/control (+3/-5)
hud/HudView.cpp (+0/-2)
lockscreen/BackgroundSettings.cpp (+153/-0)
lockscreen/BackgroundSettings.h (+55/-0)
lockscreen/CMakeLists.txt (+33/-0)
lockscreen/CofView.cpp (+41/-0)
lockscreen/CofView.h (+42/-0)
lockscreen/LockScreenAbstractShield.h (+55/-0)
lockscreen/LockScreenController.cpp (+249/-0)
lockscreen/LockScreenController.h (+74/-0)
lockscreen/LockScreenPanel.cpp (+230/-0)
lockscreen/LockScreenPanel.h (+75/-0)
lockscreen/LockScreenSettings.cpp (+104/-0)
lockscreen/LockScreenSettings.h (+66/-0)
lockscreen/LockScreenShield.cpp (+200/-0)
lockscreen/LockScreenShield.h (+63/-0)
lockscreen/LockScreenShieldFactory.cpp (+34/-0)
lockscreen/LockScreenShieldFactory.h (+51/-0)
lockscreen/UserAuthenticator.h (+56/-0)
lockscreen/UserAuthenticatorPam.cpp (+171/-0)
lockscreen/UserAuthenticatorPam.h (+66/-0)
lockscreen/UserPromptView.cpp (+282/-0)
lockscreen/UserPromptView.h (+81/-0)
lockscreen/pch/lockscreen_pch.hh (+31/-0)
panel/PanelIndicatorEntryView.cpp (+1/-1)
panel/PanelIndicatorsView.cpp (+8/-0)
panel/PanelIndicatorsView.h (+1/-0)
panel/PanelMenuView.cpp (+0/-1)
panel/PanelMenuView.h (+0/-1)
panel/PanelView.cpp (+5/-10)
plugins/unityshell/CMakeLists.txt (+5/-1)
plugins/unityshell/src/nux-text-entry-accessible.cpp (+8/-19)
plugins/unityshell/src/unity-text-input-accessible.cpp (+90/-0)
plugins/unityshell/src/unity-text-input-accessible.h (+57/-0)
plugins/unityshell/src/unitya11y.cpp (+5/-0)
plugins/unityshell/src/unityshell.cpp (+52/-4)
plugins/unityshell/src/unityshell.h (+7/-0)
plugins/unityshell/unityshell.xml.in (+20/-0)
po/POTFILES.in (+1/-0)
services/CMakeLists.txt (+3/-0)
services/panel-main.c (+21/-2)
services/panel-service.c (+19/-5)
services/panel-service.h (+2/-0)
services/unity-panel-service-lockscreen.conf.in (+8/-0)
shutdown/CMakeLists.txt (+1/-0)
shutdown/SessionDBusManager.cpp (+180/-0)
shutdown/SessionDBusManager.h (+50/-0)
shutdown/StandaloneSession.cpp (+1/-0)
tests/CMakeLists.txt (+5/-0)
tests/autopilot/unity/tests/launcher/test_icon_behavior.py (+1/-1)
tests/autopilot/unity/tests/launcher/test_tooltips.py (+2/-3)
tests/autopilot/unity/tests/test_quicklist.py (+11/-6)
tests/autopilot/unity/tests/test_spread.py (+1/-1)
tests/data/external.gschema.xml (+24/-0)
tests/test_gnome_session_manager.cpp (+50/-40)
tests/test_lockscreen_controller.cpp (+335/-0)
tests/test_mock_session_manager.h (+1/-0)
tests/test_text_input.cpp (+4/-2)
tests/test_upstart_wrapper.cpp (+90/-0)
tests/test_user_authenticator_pam.cpp (+58/-0)
tests/test_utils.h (+1/-1)
unity-shared/CMakeLists.txt (+1/-0)
unity-shared/GtkTexture.h (+64/-0)
unity-shared/IMTextEntry.cpp (+3/-2)
unity-shared/IMTextEntry.h (+1/-1)
unity-shared/MockableBaseWindow.h (+0/-1)
unity-shared/TextInput.cpp (+46/-31)
unity-shared/TextInput.h (+12/-8)
unity-shared/UScreen.cpp (+3/-3)
unity-shared/UnityWindowView.cpp (+1/-1)
unity-shared/UpstartWrapper.cpp (+74/-0)
unity-shared/UpstartWrapper.h (+53/-0)
unity-shared/WindowManager.h (+1/-0)
Changed in hud (Ubuntu): | |
status: | New → Confirmed |
Changed in unity: | |
milestone: | none → 7.2.0 |
assignee: | nobody → Andrea Azzarone (andyrock) |
importance: | Undecided → High |
status: | Confirmed → In Progress |
Changed in unity: | |
status: | In Progress → Fix Released |
status: | Fix Released → Fix Committed |
Changed in unity (Ubuntu): | |
status: | New → Fix Released |
I've confirmed the behaviour; it does not appear to provide any ability to further cross privilege boundaries, so I'm marking it public / not-security. I'm also not sure if hud is the right target, I know Unity has some special handling around the Meta and Super keys.
Thanks