Ubuntu
light-locker package

Major security issue with light-locker - console switching gives access to other screens for a few seconds

Bug #1515662 reported by Nathan Neulinger
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
light-locker (Ubuntu)
Fix Released
Undecided
Unassigned
lightdm (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

light-locker is completely insecure for X configurations with multiple screens that are not using a single display.

My setup - 4 monitors, nvidia, each with separate screen.

If I lock screen and then control-alt-f7 back to X, only one single screen is protected. After several seconds, it forces a switch to the lock display, but in the mean time, the other three screens are COMPLETELY UNPROTECTED.

It only takes a few seconds to launch a terminal and killall light-locker and I have unrestricted access to all.

Revision history for this message
Tyler Hicks (tyhicks) wrote :

HI Nathan - Thanks for the bug report. I'm going to make it public so that more people can be aware of this issue in hopes that it'll get attention.

information type: Private Security → Public Security
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Marking the lightdm as invalid as it seems, from Nathan's description, that the issue is with light-locker.

Changed in lightdm (Ubuntu):
status: New → Invalid
Revision history for this message
Tyler Hicks (tyhicks) wrote :

I've subscribed the light-locker devs team so that they're aware.

Note that bug 1473904 and bug 1440499 are similar light-locker bypass issues.

Revision history for this message
Nathan Neulinger (nneul-0) wrote :

Wasn't clear to me on lightdm - since the light-locker docs/announcements talk about it "relying on lightdm" for the actual locking.

Marc Deslauriers (mdeslaur)
Changed in light-locker (Ubuntu):
status: New → Triaged
Revision history for this message
Theo Linkspfeifer (lastonestanding) wrote :

Now almost three years and several versions later is this security issue still present when using a multi monitor setup?

Changed in light-locker (Ubuntu):
status: Triaged → Incomplete
Revision history for this message
Nathan Neulinger (nneul-0) wrote : Re: [Bug 1515662] Re: Major security issue with light-locker - console switching gives access to other screens for a few seconds

Just checked on 16, and it looks like this has been corrected. Behavior now is that it displays a spash screen on every
monitor saying that the session it locked and I will be redirected shortly, then I get the lock screen on all displays.

I'd say this can be closed.

On 8/25/18 4:15 AM, Theo Linkspfeifer wrote:
> Now almost three years and several versions later is this security issue
> still present when using a multi monitor setup?
>
> ** Changed in: light-locker (Ubuntu)
> Status: Triaged => Incomplete
>

--
------------------------------------------------------------
Nathan Neulinger <email address hidden>
Neulinger Consulting (573) 612-1412

Revision history for this message
Theo Linkspfeifer (lastonestanding) wrote :

Thanks for testing it again.

Changed in light-locker (Ubuntu):
status: Incomplete → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.