Changing the password of the main user from within System Settings fails silently
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
systemsettings (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
HP Z220 SFF Workstation, 32 GB RAM, 250 GB SSD, 500 GB HDD, NVIDIA GTX 1050 Ti GPU with Nouveau driver, UEFI, no secure boot. Operating system is Kubuntu 22.04.1.
Steps to reproduce:
1. Open System Settings.
2. Search for "User".
3. Click on "Users".
4. Click "Change Password".
5. Type in your new password into the "Password" and "Confirm Password" boxes.
6. Click "Set Password".
7. Open a terminal with Ctrl+Alt+T.
8. Run "sudo su -".
9. Type your new password and press Enter.
Expected result: You are given a root shell.
Actual result: You are told "Sorry, try again." Typing your old password and pressing Enter will give you a root shell.
Note: Labeling this as a security vulnerability because a user could potentially be led to believe that they had secured themselves against a compromised password when in fact their system was still vulnerable. Note that this is probably a low-severity security bug (though a possibly critical functionality bug). I would set it to Public Security but I'm not totally sure how safe that is.
Also note, I only just thought of the security implications of this just now as I type this. I already reported the issue on Libera.Chat on the #kubuntu-devel channel, so I accidentally already disclosed it not realizing it was security related until just now. I don't think this is probably a problem, but in the event it is, now you know, sorry.
ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: systemsettings 4:5.24.6-0ubuntu0.1
ProcVersionSign
Uname: Linux 5.15.0-48-generic x86_64
ApportVersion: 2.20.11-0ubuntu82.1
Architecture: amd64
CasperMD5CheckR
CurrentDesktop: KDE
Date: Thu Sep 22 05:23:03 2022
InstallationDate: Installed on 2022-09-22 (0 days ago)
InstallationMedia: Kubuntu 22.04.1 LTS "Jammy Jellyfish" - Release amd64 (20220809.1)
SourcePackage: systemsettings
UpgradeStatus: No upgrade log present (probably fresh install)
Since this is already publicly mentioned in IRC, I am marking this bug as Public as well.