17.04: GDM lock screen can be circumvented when autologin is set

Bug #1729354 reported by Jeremy Bicha on 2017-11-01
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gdm
Fix Released
Medium
gdm3 (Ubuntu)
High
Unassigned

Bug Description

Test Case
=========
Steps to Reproduce:
1. From Ubuntu GNOME 17.04, open the Settings app.
2. Click User Accounts then Unlock then turn on Automatic Login for your account
3. Reboot
4. Lock screen (there is a lock button in the system status menu in the right of the top bar)
5. Click the log in as another user button below the password prompt.

Actual results:
The screen unlocks without a password being entered.

Expected results:
A selection of other accounts is shown.

Testing Done
============
I confirmed that the test case succeeds with a locally built package using the provided debdiff.

Other Info
==========
Cherry-picking this commit:
https://git.gnome.org/browse/gdm/commit/?id=16f646

Introduced in
https://git.gnome.org/browse/gdm/commit/?id=ff98b28

Therefore, this should only affect Ubuntu 17.04. Ubuntu GNOME was the only Ubuntu flavor to ship GDM by default in 17.04.

https://security-tracker.debian.org/tracker/CVE-2017-12164

CVE References

Jeremy Bicha (jbicha) wrote :

debdiff attached

Changed in gdm3 (Ubuntu):
status: New → Confirmed
description: updated
Jeremy Bicha (jbicha) on 2017-11-01
tags: added: zesty
removed: artul
description: updated
Changed in gdm3 (Ubuntu):
importance: Undecided → High
status: Confirmed → Triaged
Changed in gdm:
importance: Unknown → Medium
status: Unknown → Fix Released
Marc Deslauriers (mdeslaur) wrote :

ACK on the debdiff in comment #1, package is building now. Thanks!

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gdm3 - 3.24.1-0ubuntu0.2

---------------
gdm3 (3.24.1-0ubuntu0.2) zesty-security; urgency=medium

  * SECURITY UPDATE: lock screen bypass when autologin enabled
    - debian/patches/CVE-2017-12164.patch: daemon/gdm-manager.c:
      only allow autologin from initial display (LP: #1729354)
    - CVE-2017-12164

 -- Jeremy Bicha <email address hidden> Wed, 01 Nov 2017 11:16:26 -0400

Changed in gdm3 (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.