17.04: GDM lock screen can be circumvented when autologin is set
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
gdm |
Fix Released
|
Medium
|
|||
gdm3 (Ubuntu) |
Fix Released
|
High
|
Unassigned |
Bug Description
Test Case
=========
Steps to Reproduce:
1. From Ubuntu GNOME 17.04, open the Settings app.
2. Click User Accounts then Unlock then turn on Automatic Login for your account
3. Reboot
4. Lock screen (there is a lock button in the system status menu in the right of the top bar)
5. Click the log in as another user button below the password prompt.
Actual results:
The screen unlocks without a password being entered.
Expected results:
A selection of other accounts is shown.
Testing Done
============
I confirmed that the test case succeeds with a locally built package using the provided debdiff.
Other Info
==========
Cherry-picking this commit:
https:/
Introduced in
https:/
Therefore, this should only affect Ubuntu 17.04. Ubuntu GNOME was the only Ubuntu flavor to ship GDM by default in 17.04.
CVE References
tags: |
added: zesty removed: artul |
description: | updated |
Changed in gdm3 (Ubuntu): | |
importance: | Undecided → High |
status: | Confirmed → Triaged |
Changed in gdm: | |
importance: | Unknown → Medium |
status: | Unknown → Fix Released |
debdiff attached