2022-05-03 09:54:26 |
Martin Zurowietz |
bug |
|
|
added bug |
2022-05-07 04:31:10 |
Seth Arnold |
marked as duplicate |
|
1969619 |
|
2022-05-07 04:31:18 |
Seth Arnold |
information type |
Private Security |
Public Security |
|
2022-05-07 04:31:19 |
Seth Arnold |
bug |
|
|
added subscriber Ubuntu Bugs |
2022-05-09 09:11:26 |
Martin Zurowietz |
removed duplicate marker |
1969619 |
|
|
2022-05-09 11:50:52 |
Sebastien Bacher |
gnome-remote-desktop (Ubuntu): importance |
Undecided |
High |
|
2022-05-09 11:50:52 |
Sebastien Bacher |
gnome-remote-desktop (Ubuntu): assignee |
|
Jeremy Bicha (jbicha) |
|
2022-05-09 13:14:43 |
Jeremy Bícha |
bug |
|
|
added subscriber Jeremy Bicha |
2022-05-10 17:11:28 |
Steve Beattie |
bug |
|
|
added subscriber Steve Beattie |
2022-05-10 18:04:39 |
Jeremy Bícha |
affects |
gnome-remote-desktop (Ubuntu) |
gnome-control-center (Ubuntu) |
|
2022-05-10 18:04:39 |
Jeremy Bícha |
gnome-control-center (Ubuntu): status |
New |
Triaged |
|
2022-05-11 02:02:51 |
Jeremy Bícha |
nominated for series |
|
Ubuntu Jammy |
|
2022-05-11 02:02:51 |
Jeremy Bícha |
bug task added |
|
gnome-control-center (Ubuntu Jammy) |
|
2022-05-11 02:02:56 |
Jeremy Bícha |
gnome-control-center (Ubuntu): status |
Triaged |
Fix Committed |
|
2022-05-11 02:03:01 |
Jeremy Bícha |
gnome-control-center (Ubuntu Jammy): importance |
Undecided |
High |
|
2022-05-11 02:03:04 |
Jeremy Bícha |
gnome-control-center (Ubuntu Jammy): status |
New |
Confirmed |
|
2022-05-11 02:09:44 |
Jeremy Bícha |
attachment added |
|
gnome-control-center-lp1971415.debdiff https://bugs.launchpad.net/ubuntu/+source/gnome-control-center/+bug/1971415/+attachment/5588335/+files/gnome-control-center-lp1971415.debdiff |
|
2022-05-11 02:15:38 |
Jeremy Bícha |
description |
If I disable sharing/remote desktop in GNOME Control Center, then log out and back in, it is automatically enabled again. I report this as a security vulnerability because remote desktop is enabled without the user's knowledge.
Software versions:
- Ubuntu 22.04
- gnome-remote-desktop 42.0-4ubuntu1
- gnome-control-center 1:41.4-1ubuntu13
Steps to reproduce:
1. Start with Remote Desktop enabled. "systemctl --user status gnome-remote-desktop.service" reports "active (running)".
2. Disable Remote Desktop in Control Center. systemctl reports "inactive (dead)".
3. Log out and back in.
4. Open Control Center. Remote Desktop is enabled again. systemctl reports "active (running)".
Expected behavior:
Remote Desktop should stay disabled upon the new login.
Actual behavior:
Remote Desktop was automatically enabled again.
Previous discussion: https://gitlab.gnome.org/GNOME/gnome-control-center/-/issues/1775#note_1443319 |
Details:
Turning off RDP Remote Desktop Sharing with gnome-control-center would only turn off RDP sharing for the current session. Upon logging back in, RDP Sharing would be enabled again without any additional user interaction or notification.
Other Info:
As mentioned in the comments at https://gitlab.gnome.org/GNOME/gnome-control-center/-/issues/1825
this issue could have been avoided if Ubuntu's gnome-remote-desktop didn't keep the systemd user service always running. I do intend to fix that issue also but it is a more complicated fix. I think it will require a maintainer script to remove the automatic conffiles added by dh. I will do the gnome-remote-desktop bugfix as a normal non-security SRU.
Original Bug Report:
If I disable sharing/remote desktop in GNOME Control Center, then log out and back in, it is automatically enabled again. I report this as a security vulnerability because remote desktop is enabled without the user's knowledge.
Software versions:
- Ubuntu 22.04
- gnome-remote-desktop 42.0-4ubuntu1
- gnome-control-center 1:41.4-1ubuntu13
Steps to reproduce:
1. Start with Remote Desktop enabled. "systemctl --user status gnome-remote-desktop.service" reports "active (running)".
2. Disable Remote Desktop in Control Center. systemctl reports "inactive (dead)".
3. Log out and back in.
4. Open Control Center. Remote Desktop is enabled again. systemctl reports "active (running)".
Expected behavior:
Remote Desktop should stay disabled upon the new login.
Actual behavior:
Remote Desktop was automatically enabled again.
Previous discussion: https://gitlab.gnome.org/GNOME/gnome-control-center/-/issues/1775#note_1443319 |
|
2022-05-11 02:16:25 |
Jeremy Bícha |
bug |
|
|
added subscriber Ubuntu Security Sponsors Team |
2022-05-11 07:31:01 |
Launchpad Janitor |
gnome-control-center (Ubuntu): status |
Fix Committed |
Fix Released |
|
2022-05-16 20:41:41 |
Jeremy Bícha |
cve linked |
|
2022-1736 |
|
2022-05-18 13:04:53 |
Jeremy Bícha |
attachment added |
|
gnome-control-center-lp1971415-version2.debdiff https://bugs.launchpad.net/ubuntu/+source/gnome-control-center/+bug/1971415/+attachment/5590908/+files/gnome-control-center-lp1971415-version2.debdiff |
|
2022-05-18 15:20:38 |
Launchpad Janitor |
gnome-control-center (Ubuntu Jammy): status |
Confirmed |
Fix Released |
|