Lock screen doesn't cover entire desktop on HiDPI display with draw-user-backgrounds unchecked

Bug #1666359 reported by Jeremy Nation on 2017-02-21
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
unity (Ubuntu)
High
Marco Trevisan (Treviño)
Nominated for Xenial by Marco Trevisan (Treviño)
Xenial
Undecided
Unassigned

Bug Description

Ubuntu 16.04.2 LTS using Unity
unity-greeter 16.04.2-0ubuntu1

[Impact]
On a HiDPI monitor on a Dell XPS 13 9343 laptop, if you uncheck com.canonical.unity-greeter -> draw-user-backgrounds and then lock the desktop:

Expected: the purple placeholder wallpaper should cover the entire desktop
Observed: the purple placeholder wallpaper only covers the top-left part of the desktop

I'm attaching an image showing roughly what the desktop looks like when it's locked. The green rectangle is the part covered by the purple wallpaper, the red is stuff that should not be visible when locked, and the yellow is the usual name/password entry box that is partially transparent.

I'm marking this bug as a security vulnerability because it allows someone to see part of a user's desktop even when the desktop is locked.

[Test Case]
1. Make sure to use an HiDPI monitor
2. Open terminal
3. gsettings set com.canonical.unity-greeter draw-user-backgrounds false
4. Lock the screen
5. Make sure the background is properly drawn.

[Potential Regression]
Make sure lockscreen background is drawn properly on an non-HiDPI monitor too. Also make sure that when using "draw-user-backgrounds == true" the background is properly drawn.

Related branches

Jeremy Nation (jnation) on 2017-02-21
information type: Public → Private Security
affects: unity-greeter (Ubuntu) → unity (Ubuntu)
information type: Private Security → Public Security
Changed in unity (Ubuntu):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Marco Trevisan (Treviño) (3v1n0)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unity - 7.5.0+17.04.20170222-0ubuntu1

---------------
unity (7.5.0+17.04.20170222-0ubuntu1) zesty; urgency=medium

  * BackgroundSettings: use gnome-bg to generate textures with proper
    scaling (LP: #1666359)

 -- Marco Trevisan (Treviño) <mail@3v1n0.net> Wed, 22 Feb 2017 01:52:54 +0000

Changed in unity (Ubuntu):
status: In Progress → Fix Released
Andrea Azzarone (azzar1) on 2017-07-17
description: updated

Hello Jeremy, or anyone else affected,

Accepted unity into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/unity/7.4.5+16.04.20171116 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in unity (Ubuntu Xenial):
status: New → Fix Committed
tags: added: verification-needed verification-needed-xenial
Jeremy Nation (jnation) wrote :

Thanks for the work on this, however I'm not willing to test the update from xenial-proposed in the base install on the laptop where I found the problem. Were any of you able to verify the fix yourselves? If necessary I can try to reproduce the problem and fix in a VM.

Łukasz Zemczak (sil2100) wrote :

Hello Jeremy, or anyone else affected,

Accepted unity into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/unity/7.4.5+16.04.20171201.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Jeremy Nation (jnation) wrote :

Hi Łukasz, is this issue waiting on me? Please see my earlier comment https://bugs.launchpad.net/ubuntu/xenial/+source/unity/+bug/1666359/comments/4 .

Łukasz Zemczak (sil2100) wrote :

@jnation The package is waiting for someone to perform validation, i.e. someone installing the package from -proposed, running the test case on it, making sure the fix works as expected and then reporting the test results as a comment in this bug, along with setting the verification-xenial-done tag - as per the SRU policy [1]. Without this, the update will not leave -proposed. It can be you or any other user, but from experience we know most bugs are validated by either the person reporting or the person preparing the fix.

Thanks.

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Verification

Launchpad Janitor (janitor) wrote :
Download full text (3.4 KiB)

This bug was fixed in the package unity - 7.4.5+16.04.20171201.3

---------------
unity (7.4.5+16.04.20171201.3) xenial; urgency=medium

  [ Marco Trevisan (Treviño) ]
  * InputMonitor: add an unity class that monitors XInput2 events and
    converts them to XEvent
  * EdgeBarrierController: use InputMonitor to get the barrier events
    instead of relying on its implementation
  * DecorationsMenuLayout: use input monitor for menu scrubbing (LP:
    #1614597)
  * PanelView: use InputMonitor to track menu events
  * LockScreenPanel: use InputMonitor events instead of mouse polling
    for menu scrubbing
  * MenuManager: add support for mouse trackers with triangle algorithm
    support (LP: #1618405)
  * PanelView: scale gradient refinement properly
  * PanelService: don't allow to deactivate menus if they've been opened
    too shortly
  * LockScreenController: ignore icon_paths_changed signal in
    menumanager for Lockscreen
  * LockScreenController: use InputMonitor to get all the events and
    hide the Blank Window (LP: #1321075)
  * LockScreenController: use input monitor to get the events to switch
    monitor (LP: #1316862)
  * LauncherOptions: use track_obj to manage option changes (LP:
    #1622995)
  * UnityScreen: toggle gestures recognition on lock (LP: #1645507)
  * GnomeSessionManager: add gcancellable to instance and use it for
    calls with temporary proxies
  * BackgroundSettings: use gnome-bg to generate textures with proper
    scaling (LP: #1666359)
  * UnityWindow: safely check validity of UnityWindow from scaled one
    (LP: #1659847)
  * Panel: ensure the menu-manager tracker is updated to match monitor
    (LP: #1671432)
  * compiz-profile-setter: tool to update the current profile and use in
    systemd and Unity settings (LP: #1668950)
  * BGHash, UnityScreen: get desktop averageColor from compiz
  * Launcher: disable or reduce most icon effects on lowgfx (LP:
    #1700859)
  * PanelController: ensure we disconnect from signals on destruction
    (LP: #1504870)
  * tools: add migration script to set the default values for unity-
    lowgfx profile

  [ Andrea Azzarone ]
  * Properly handle the file manager copy dialog in
    FileManagerLauncherIcon and in StorageLauncherIcon. (LP: #1575452,
    LP: #1609845)
  * Correctly position the force quit dialog when scaling is different
    than 1.0 (LP: #1637991)
  * GnomeSession: Retrieve the session id using dbus if $XDG_SESSION_ID
    is not set
  * Round gtk scaling factor to closest integer. (LP: #1649736)
  * Keep the screen locked if rebooting with autologin. (LP: #1600389)
  * Use g_mkdir_with_parents instead of mkdir.
  * Lockscreen: always draw the background-color in the lockscreen (LP:
    #1702701)
  * Refactor the way UserAuthenticator is created and passed around.
    Handle failures to create new threads and fallback to a "Switch to
    greeter..." button in case of failure. (LP: #1311316)
  * Wait until the color buffer is cleared before suspending. (LP:
    #1532508)

  [ Kai-Heng Feng ]
  * UnitySettings: If scale-factor is not set, find and set right scale
    for HiDPI displays.

  [ Eleni Maria Stea ]
  * shouldn't create blur rectangles when there's ...

Read more...

Changed in unity (Ubuntu Xenial):
status: Fix Committed → Fix Released
Jeremy Nation (jnation) wrote :

I can confirm this is fixed for me now with the recent updates. Thanks everyone!

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers