Information disclosure when using an external monitor on a screen-locked system

Bug #960073 reported by Nick Moffitt on 2012-03-20
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Unity
Confirmed
Low
Unassigned
unity (Ubuntu)
Low
Unassigned

Bug Description

This problem occurs when my screen is locked on this laptop (such as when resuming from suspend), and I plug an external monitor in: for a brief moment the second screen shows not the locked screen graphic or a blank field, but the contents of what WILL be on that screen once the password is entered. This morning as I did this I noticed a private e-mail on that screen, and realized that this is a security risk.

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: unity 5.6.0-0ubuntu4
ProcVersionSignature: Ubuntu 3.2.0-19.30-generic 3.2.11
Uname: Linux 3.2.0-19-generic x86_64
.tmp.unity.support.test.0:

ApportVersion: 1.94.1-0ubuntu2
Architecture: amd64
CompizPlugins: [core,bailer,detection,composite,opengl,decor,snap,gnomecompat,grid,regex,mousepoll,compiztoolbox,resize,move,wall,animation,vpswitch,place,imgpng,workarounds,expo,fade,ezoom,session,scale,unityshell]
CompositorRunning: compiz
Date: Tue Mar 20 10:16:40 2012
DistUpgraded: 2012-02-06 11:08:30,227 DEBUG enabling apt cron job
DistroCodename: precise
DistroVariant: ubuntu
EcryptfsInUse: Yes
GraphicsCard:
 Intel Corporation Mobile 4 Series Chipset Integrated Graphics Controller [8086:2a42] (rev 07) (prog-if 00 [VGA controller])
   Subsystem: Lenovo Device [17aa:20e4]
   Subsystem: Lenovo Device [17aa:20e4]
MachineType: LENOVO 7465CTO
ProcEnviron:
 TERM=xterm
 LC_COLLATE=C
 PATH=(custom, user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcKernelCmdLine: root=UUID=5237fceb-23d0-412d-84d9-b8f8b3bf28af ro quiet splash
SourcePackage: unity
UpgradeStatus: Upgraded to precise on 2012-03-13 (7 days ago)
dmi.bios.date: 06/25/2009
dmi.bios.vendor: LENOVO
dmi.bios.version: 6DET55WW (3.05 )
dmi.board.name: 7465CTO
dmi.board.vendor: LENOVO
dmi.board.version: Not Available
dmi.chassis.asset.tag: No Asset Information
dmi.chassis.type: 10
dmi.chassis.vendor: LENOVO
dmi.chassis.version: Not Available
dmi.modalias: dmi:bvnLENOVO:bvr6DET55WW(3.05):bd06/25/2009:svnLENOVO:pn7465CTO:pvrThinkPadX200s:rvnLENOVO:rn7465CTO:rvrNotAvailable:cvnLENOVO:ct10:cvrNotAvailable:
dmi.product.name: 7465CTO
dmi.product.version: ThinkPad X200s
dmi.sys.vendor: LENOVO
version.compiz: compiz 1:0.9.7.0+bzr3035-0ubuntu1
version.ia32-libs: ia32-libs N/A
version.libdrm2: libdrm2 2.4.30-1ubuntu1
version.libgl1-mesa-dri: libgl1-mesa-dri 8.0.1-0ubuntu5
version.libgl1-mesa-dri-experimental: libgl1-mesa-dri-experimental N/A
version.libgl1-mesa-glx: libgl1-mesa-glx 8.0.1-0ubuntu5
version.xserver-xorg-core: xserver-xorg-core 2:1.11.4-0ubuntu6
version.xserver-xorg-input-evdev: xserver-xorg-input-evdev 1:2.7.0-0ubuntu1
version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:6.14.99~git20111219.aacbd629-0ubuntu2
version.xserver-xorg-video-intel: xserver-xorg-video-intel 2:2.17.0-1ubuntu4
version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:0.0.16+git20111201+b5534a1-1build2

Nick Moffitt (nick-moffitt) wrote :
visibility: private → public
visibility: private → public
Omer Akram (om26er) wrote :

that's likely a duplicate bug we should really do something about this long standing security issue.

Changed in unity (Ubuntu):
importance: Undecided → Low
security vulnerability: yes → no
security vulnerability: yes → no
Omer Akram (om26er) wrote :

this issue I believe is being looked at this development cycle.

Daniel van Vugt (vanvugt) wrote :

Might be related to bug 995387.

Nick Moffitt (nick-moffitt) wrote :

This still happens to me in Raring.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in unity (Ubuntu):
status: New → Confirmed
Scott Ritchie (scottritchie) wrote :

Occurs in Trusty, and you don't need to actively plug in an external monitor -- I get it when the laptop was already on one, even in clamshell mode.

summary: - Information disclosure when plugging an external monitor into a screen-
- locked system
+ Information disclosure when using an external monitor on a screen-locked
+ system
Changed in unity:
importance: Undecided → Low
status: New → Confirmed
To post a comment you must log in.