Information disclosure when using an external monitor on a screen-locked system

Bug #960073 reported by Nick Moffitt on 2012-03-20
This bug affects 3 people
Affects Status Importance Assigned to Milestone
unity (Ubuntu)

Bug Description

This problem occurs when my screen is locked on this laptop (such as when resuming from suspend), and I plug an external monitor in: for a brief moment the second screen shows not the locked screen graphic or a blank field, but the contents of what WILL be on that screen once the password is entered. This morning as I did this I noticed a private e-mail on that screen, and realized that this is a security risk.

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: unity 5.6.0-0ubuntu4
ProcVersionSignature: Ubuntu 3.2.0-19.30-generic 3.2.11
Uname: Linux 3.2.0-19-generic x86_64

ApportVersion: 1.94.1-0ubuntu2
Architecture: amd64
CompizPlugins: [core,bailer,detection,composite,opengl,decor,snap,gnomecompat,grid,regex,mousepoll,compiztoolbox,resize,move,wall,animation,vpswitch,place,imgpng,workarounds,expo,fade,ezoom,session,scale,unityshell]
CompositorRunning: compiz
Date: Tue Mar 20 10:16:40 2012
DistUpgraded: 2012-02-06 11:08:30,227 DEBUG enabling apt cron job
DistroCodename: precise
DistroVariant: ubuntu
EcryptfsInUse: Yes
 Intel Corporation Mobile 4 Series Chipset Integrated Graphics Controller [8086:2a42] (rev 07) (prog-if 00 [VGA controller])
   Subsystem: Lenovo Device [17aa:20e4]
   Subsystem: Lenovo Device [17aa:20e4]
MachineType: LENOVO 7465CTO
 PATH=(custom, user)
ProcKernelCmdLine: root=UUID=5237fceb-23d0-412d-84d9-b8f8b3bf28af ro quiet splash
SourcePackage: unity
UpgradeStatus: Upgraded to precise on 2012-03-13 (7 days ago) 06/25/2009
dmi.bios.vendor: LENOVO
dmi.bios.version: 6DET55WW (3.05 ) 7465CTO
dmi.board.vendor: LENOVO
dmi.board.version: Not Available
dmi.chassis.asset.tag: No Asset Information
dmi.chassis.type: 10
dmi.chassis.vendor: LENOVO
dmi.chassis.version: Not Available
dmi.modalias: dmi:bvnLENOVO:bvr6DET55WW(3.05):bd06/25/2009:svnLENOVO:pn7465CTO:pvrThinkPadX200s:rvnLENOVO:rn7465CTO:rvrNotAvailable:cvnLENOVO:ct10:cvrNotAvailable: 7465CTO
dmi.product.version: ThinkPad X200s
dmi.sys.vendor: LENOVO
version.compiz: compiz 1:
version.ia32-libs: ia32-libs N/A
version.libdrm2: libdrm2 2.4.30-1ubuntu1
version.libgl1-mesa-dri: libgl1-mesa-dri 8.0.1-0ubuntu5
version.libgl1-mesa-dri-experimental: libgl1-mesa-dri-experimental N/A
version.libgl1-mesa-glx: libgl1-mesa-glx 8.0.1-0ubuntu5
version.xserver-xorg-core: xserver-xorg-core 2:1.11.4-0ubuntu6
version.xserver-xorg-input-evdev: xserver-xorg-input-evdev 1:2.7.0-0ubuntu1
version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:6.14.99~git20111219.aacbd629-0ubuntu2
version.xserver-xorg-video-intel: xserver-xorg-video-intel 2:2.17.0-1ubuntu4
version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:0.0.16+git20111201+b5534a1-1build2

Nick Moffitt (nick-moffitt) wrote :
visibility: private → public
visibility: private → public
Omer Akram (om26er) wrote :

that's likely a duplicate bug we should really do something about this long standing security issue.

Changed in unity (Ubuntu):
importance: Undecided → Low
security vulnerability: yes → no
security vulnerability: yes → no
Omer Akram (om26er) wrote :

this issue I believe is being looked at this development cycle.

Daniel van Vugt (vanvugt) wrote :

Might be related to bug 995387.

Nick Moffitt (nick-moffitt) wrote :

This still happens to me in Raring.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in unity (Ubuntu):
status: New → Confirmed
Scott Ritchie (scottritchie) wrote :

Occurs in Trusty, and you don't need to actively plug in an external monitor -- I get it when the laptop was already on one, even in clamshell mode.

summary: - Information disclosure when plugging an external monitor into a screen-
- locked system
+ Information disclosure when using an external monitor on a screen-locked
+ system
Changed in unity:
importance: Undecided → Low
status: New → Confirmed
To post a comment you must log in.