Device can be tricked into exposing mtp service without being unlocked first

Bug #1525981 reported by Michael Terry
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Canonical System Image
Fix Released
High
kevin gunn
unity8 (Ubuntu)
Fix Released
Undecided
Michael Terry

Bug Description

Steps to reproduce:

- Boot your phone up (notice mtp is not accessible)
- Start to make an emergency call (notice mtp is not accessible)
- Cancel emergency call and go back to greeter (notice mtp IS accessible)

That's bad.

This happens because mtp-server pays attention to the greeter saying it's active over DBus. And the first time it says it's active, mtp-server makes itself available.

I believe the greeter has a bug where it briefly says it's inactive when transitioning between emergency dialer and the greeter. We should close that gap (once I confirm it exists).

Related branches

CVE References

Michael Terry (mterry)
Changed in unity8 (Ubuntu):
assignee: nobody → Michael Terry (mterry)
Michael Terry (mterry)
information type: Private Security → Public Security
Michael Terry (mterry)
description: updated
Changed in unity8 (Ubuntu):
status: New → In Progress
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This is CVE-2015-7946

Changed in canonical-devices-system-image:
status: New → Fix Committed
importance: Undecided → High
assignee: nobody → kevin gunn (kgunn72)
milestone: none → ww02-2016
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unity8 - 8.11+16.04.20160111.1-0ubuntu1

---------------
unity8 (8.11+16.04.20160111.1-0ubuntu1) xenial; urgency=medium

  [ Albert Astals Cid ]
  * Clear fake item icon name as soon as it goes invisible (LP:
    #1531172)
  * Fix LVWPH test failing on Xenial (Qt 5.5)
  * Fix dragging so that test passes on Xenial
  * Fix focus on the dash page header text field with new SDK (LP:
    #1528178)
  * Make the card creator test pass again
  * Quit the dash communicator thread before destroying it (LP:
    #1508485)
  * Remove duplicated override_dh_auto_clean
  * SDK changed the name they give to the buttons, follow

  [ Andrea Cimitan ]
  * Fix a broken binding

  [ CI Train Bot ]
  * Resync trunk.
  * Update translation template

  [ Daniel d'Andrada ]
  * Have "make tryFoo" work with Qt 5.5
  * Make DragHandle tests run again.

  [ Lukáš Tinkl ]
  * Fix dismissing the launcher when clicking/tapping outside (LP:
    #1531339, #1530940)
  * Fix panel drop shadow and click-to-focus of maximized apps (LP:
    #1531854)
  * Fix wifi access point indicator items signal strength icon on
    desktop

  [ Michael Terry ]
  * Guard against a couple odd timing scenarios for the too-many-failed-
    login-attempts lockout screen.
  * Skip the wizard's password screens if there is already a password
    set by other means. (LP: #1531268)
  * Stop the emergency dialer from accidentally exposing the mtp
    service. (LP: #1525981)

  [ Michael Zanetti ]
  * Make sure the triangle of the quicklist is in bounds (LP: #1531340)

  [ Pawel Stolowski ]
  * Changes 'shareData' and 'contentType' attributes to 'share-data' and
    'content-type', to match existing naming schema.

 -- Michał Sawicz <email address hidden> Mon, 11 Jan 2016 17:38:49 +0000

Changed in unity8 (Ubuntu):
status: In Progress → Fix Released
Changed in canonical-devices-system-image:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.