Ubuntu
unity8 package

rebooting defeats the screen lock timeout

Bug #1383086 reported by James Hunt
282
This bug affects 3 people
Affects Status Importance Assigned to Milestone
unity8 (Ubuntu)
Fix Released
Medium
Michael Terry

Bug Description

If you enable pin unlock, then repeatedly enter the incorrect pin, eventually you'll get a message stating that the phone cannot be unlocked for 5 minutes. However, this restriction can be trivially bypassed by simply rebooting the phone (which takes less than 5 minutes :-)

krillin, r117.

Related branches

lp:~mterry/unity8/locked-out-over-reboot
Superseded for merging into lp:unity8
Albert Astals Cid (community): Approve
PS Jenkins bot (community): Needs Fixing (continuous-integration)
Diff: 293 lines (+125/-11)
5 files modified
data/com.canonical.Unity8.gschema.xml (+8/-0)
qml/Greeter/Greeter.qml (+47/-8)
tests/mocks/GSettings.1.0/fake_gsettings.cpp (+31/-0)
tests/mocks/GSettings.1.0/fake_gsettings.h (+9/-0)
tests/qmltests/Greeter/tst_Greeter.qml (+30/-3)
lp:ubuntu/wily-proposed/unity8
James Hunt (jamesodhunt)
information type: Public → Public Security
Michael Zanetti (mzanetti)
Changed in unity8 (Ubuntu):
assignee: nobody → Michael Terry (mterry)
Revision history for this message
Michał Sawicz (saviq) wrote :

I think this was discussed and ACKed by security, the time needed to reboot is enough to prevent any real bruteforcing of the password.

Changed in unity8 (Ubuntu):
status: New → Incomplete
assignee: Michael Terry (mterry) → nobody
Revision history for this message
Michael Terry (mterry) wrote :

This is relatively easy to fix -- need to just save the time we should allow login again in a field.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

While I think the time to reboot is 'enough', it is clearly a bug and mterry's suggestion makes sense to me.

Michał Sawicz (saviq)
Changed in unity8 (Ubuntu):
status: Incomplete → Triaged
importance: Undecided → Medium
assignee: nobody → Michael Terry (mterry)
Michael Terry (mterry)
Changed in unity8 (Ubuntu):
assignee: Michael Terry (mterry) → nobody
Michael Terry (mterry)
Changed in unity8 (Ubuntu):
assignee: nobody → Michael Terry (mterry)
status: Triaged → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unity8 - 8.11+15.10.20150907-0ubuntu1

---------------
unity8 (8.11+15.10.20150907-0ubuntu1) wily; urgency=medium

  [ Michal Sawicz ]
  * Resync wily with vivid

  [ Albert Astals Cid ]
  * Accomodate header height when using a card carousel with non
    overlayed header (LP: #1489309)
  * Fix restart unity8 from inside the phone more than two times (LP:
    #1487946)

  [ Gary.Wzl ]
  * Move textarea up automatically when inputmethod popup. (LP:
    #1485947)

  [ Lukáš Tinkl ]
  * Introduce a GlobalShortcut QML component for handling global
    keyboard shortcuts

  [ Michael Terry ]
  * Fix the fact that a user that is locked out from their account for
    five minutes after entering too many wrong passwords can simply
    reboot to try again. (LP: #1383086)
  * Fix the fact that a user that is locked out from their account for
    five minutes after entering too many wrong passwords can simply
    reboot to try again. (LP: #1383086)

  [ Michael Zanetti ]
  * Implement progressive autoscrolling in desktop spread
  * add an animation transition when invoking the spread by hitting the
    right edge

 -- CI Train Bot <email address hidden> Mon, 07 Sep 2015 14:05:37 +0000

Changed in unity8 (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.