2014-09-16 11:57:59 |
Margarita Manterola |
bug |
|
|
added bug |
2014-09-16 11:58:31 |
Margarita Manterola |
bug |
|
|
added subscriber Goobuntu Team |
2014-09-16 12:18:53 |
Launchpad Janitor |
unity (Ubuntu): status |
New |
Confirmed |
|
2014-09-16 13:08:50 |
Margarita Manterola |
description |
Hi,
Steps to reproduce:
1 - Have at least one process that takes a long time to shutdown
2 - Lock the screen
3 - From the lockscreen, tell the computer to shut down
Expected behavior:
* Session programs are closed while the screen is still locked
* During shutdown, no user interaction is possible
Observed behavior:
* The lockscreen is gone immediately, allowing access to session programs that are still running
* This continues until the shutdown of other processes is done.
Observed on an updated Trusty machine, running unity version 7.2.2+14.04.20140714-0ubuntu1.1
I consider this bug a security vulnerability because depending on the time it takes to shut down the machine, it might allow access and interaction with sensitive information. |
Hi,
Steps to reproduce:
1 - Lock the screen
2 - From the lockscreen, tell the computer to shut down / restart
Expected behavior:
* Session programs are closed while the screen is still locked
* During shutdown, no user interaction is possible
Observed behavior:
* The lockscreen is gone immediately, with the rest of compiz (e.g. window decorations are not present)
* But it's possible to interact with programs that are still running in the session for about 3 seconds
Observed on an updated Trusty machine, running unity version 7.2.2+14.04.20140714-0ubuntu1.1
I consider this bug a security vulnerability because depending on the time it takes to shut down the machine, it might allow access and interaction with sensitive information. Yes, it's short, but you could take a picture or even rm -rf / if there happened to be a root console available. |
|
2014-09-16 13:10:58 |
Margarita Manterola |
description |
Hi,
Steps to reproduce:
1 - Lock the screen
2 - From the lockscreen, tell the computer to shut down / restart
Expected behavior:
* Session programs are closed while the screen is still locked
* During shutdown, no user interaction is possible
Observed behavior:
* The lockscreen is gone immediately, with the rest of compiz (e.g. window decorations are not present)
* But it's possible to interact with programs that are still running in the session for about 3 seconds
Observed on an updated Trusty machine, running unity version 7.2.2+14.04.20140714-0ubuntu1.1
I consider this bug a security vulnerability because depending on the time it takes to shut down the machine, it might allow access and interaction with sensitive information. Yes, it's short, but you could take a picture or even rm -rf / if there happened to be a root console available. |
Hi,
Steps to reproduce:
1 - Lock the screen
2 - From the lockscreen, tell the computer to shut down / restart
Expected behavior:
* Session programs are closed while the screen is still locked
* During shutdown, no user interaction is possible
Observed behavior:
* The lockscreen is gone immediately, with the rest of compiz (e.g. window decorations are not present)
* But it's possible to interact with programs that are still running in the session for about 3 seconds
Observed on an updated Trusty machine, running unity version 7.2.2+14.04.20140714-0ubuntu1.1
I consider this bug a security vulnerability because during those 3 seconds it could be possible to access and interact with sensitive information. Yes, it's short, but you could take a picture or even rm -rf / if there happened to be a root console available. |
|
2014-09-16 18:48:15 |
Seth Arnold |
bug |
|
|
added subscriber Marco Trevisan (Treviño) |
2014-09-16 22:50:16 |
Marco Trevisan (Treviño) |
unity (Ubuntu): status |
Confirmed |
Triaged |
|
2014-09-16 22:50:22 |
Marco Trevisan (Treviño) |
tags |
|
lockscreen |
|
2014-09-16 22:52:51 |
Marco Trevisan (Treviño) |
unity: status |
New |
Triaged |
|
2014-09-16 23:59:22 |
Marco Trevisan (Treviño) |
unity: importance |
Undecided |
Medium |
|
2014-09-16 23:59:25 |
Marco Trevisan (Treviño) |
unity (Ubuntu): importance |
Undecided |
High |
|
2014-09-16 23:59:27 |
Marco Trevisan (Treviño) |
unity (Ubuntu): importance |
High |
Medium |
|
2014-09-16 23:59:38 |
Marco Trevisan (Treviño) |
unity: assignee |
|
Andrea Azzarone (andyrock) |
|
2014-09-16 23:59:45 |
Marco Trevisan (Treviño) |
unity: milestone |
|
7.3.1 |
|
2014-09-19 15:01:37 |
Andrea Azzarone |
unity (Ubuntu): assignee |
|
Andrea Azzarone (andyrock) |
|
2014-09-23 16:08:23 |
Andrea Azzarone |
unity: importance |
Medium |
High |
|
2014-09-23 16:08:29 |
Andrea Azzarone |
unity: status |
Triaged |
In Progress |
|
2014-09-23 16:08:35 |
Andrea Azzarone |
unity (Ubuntu): status |
Triaged |
In Progress |
|
2014-10-10 15:01:08 |
Andrea Azzarone |
branch linked |
|
lp:~andyrock/unity/unmap-on-shutdown |
|
2014-11-28 21:45:20 |
Launchpad Janitor |
unity (Ubuntu): status |
In Progress |
Fix Released |
|
2014-11-29 18:26:16 |
Marco Trevisan (Treviño) |
unity: status |
In Progress |
Fix Committed |
|
2014-12-16 18:45:41 |
Marco Trevisan (Treviño) |
unity/7.2: importance |
Undecided |
High |
|
2014-12-16 18:45:41 |
Marco Trevisan (Treviño) |
unity/7.2: status |
New |
Fix Committed |
|
2014-12-16 18:45:41 |
Marco Trevisan (Treviño) |
unity/7.2: milestone |
|
7.2.4 |
|
2014-12-16 18:45:41 |
Marco Trevisan (Treviño) |
unity/7.2: assignee |
|
Andrea Azzarone (andyrock) |
|
2014-12-16 18:45:55 |
Marco Trevisan (Treviño) |
unity/7.2: status |
Fix Committed |
In Progress |
|
2014-12-16 19:37:03 |
Launchpad Janitor |
branch linked |
|
lp:~unity-team/unity/7.2.4 |
|
2014-12-29 15:38:52 |
Stephen M. Webb |
description |
Hi,
Steps to reproduce:
1 - Lock the screen
2 - From the lockscreen, tell the computer to shut down / restart
Expected behavior:
* Session programs are closed while the screen is still locked
* During shutdown, no user interaction is possible
Observed behavior:
* The lockscreen is gone immediately, with the rest of compiz (e.g. window decorations are not present)
* But it's possible to interact with programs that are still running in the session for about 3 seconds
Observed on an updated Trusty machine, running unity version 7.2.2+14.04.20140714-0ubuntu1.1
I consider this bug a security vulnerability because during those 3 seconds it could be possible to access and interact with sensitive information. Yes, it's short, but you could take a picture or even rm -rf / if there happened to be a root console available. |
[Impact and Test Case]
Steps to reproduce:
1 - Lock the screen
2 - From the lockscreen, tell the computer to shut down / restart
Expected behavior:
* Session programs are closed while the screen is still locked
* During shutdown, no user interaction is possible
Observed behavior:
* The lockscreen is gone immediately, with the rest of compiz (e.g. window decorations are not present)
* But it's possible to interact with programs that are still running in the session for about 3 seconds
Observed on an updated Trusty machine, running unity version 7.2.2+14.04.20140714-0ubuntu1.1
I consider this bug a security vulnerability because during those 3 seconds it could be possible to access and interact with sensitive information. Yes, it's short, but you could take a picture or even rm -rf / if there happened to be a root console available.
[Regression Potential]
An improper implementation of the fix for this issue could result in an indefinite hang during system shutdown, or could result in the problem not being completely fixed and the security vulnerability continuing.
Neither appear to be the case.
[ Other Info ]
The Ubuntu 14.04 LTS SRU has been cherry-picked from upstream Unity where it has been in development-level production code in Ubuntu 'Vivid Vervet' development release for a few months and has not display additional problems. |
|
2014-12-29 15:39:19 |
Stephen M. Webb |
attachment added |
|
debdiff between unity_7.2.3+14.04.20140826-0ubuntu1 and unity_7.2.4+14.04.20141217-0ubuntu1 https://bugs.launchpad.net/ubuntu/+source/unity/+bug/1370017/+attachment/4289404/+files/unity_7.2.4%2B14.04.20141217-0ubuntu1.debdiff |
|
2014-12-29 15:39:41 |
Stephen M. Webb |
information type |
Private Security |
Public Security |
|
2015-01-14 17:47:39 |
Chris J Arges |
nominated for series |
|
Ubuntu Trusty |
|
2015-01-14 17:47:39 |
Chris J Arges |
bug task added |
|
unity (Ubuntu Trusty) |
|
2015-01-14 18:05:51 |
Chris J Arges |
unity (Ubuntu Trusty): status |
New |
Fix Committed |
|
2015-01-14 18:08:19 |
Chris J Arges |
tags |
lockscreen |
lockscreen verification-needed-trusty |
|
2015-01-17 15:51:36 |
Mateusz Stachowski |
tags |
lockscreen verification-needed-trusty |
lockscreen verification-done-trusty |
|
2015-02-04 16:50:58 |
Launchpad Janitor |
unity (Ubuntu Trusty): status |
Fix Committed |
Fix Released |
|
2015-02-11 16:13:12 |
Stephen M. Webb |
unity: status |
Fix Committed |
Fix Released |
|
2015-02-11 17:19:25 |
Stephen M. Webb |
unity/7.2: status |
In Progress |
Fix Committed |
|
2015-03-11 02:44:21 |
Stephen M. Webb |
unity/7.2: status |
Fix Committed |
Fix Released |
|
2015-11-04 22:07:51 |
Mathew Hodson |
unity (Ubuntu Trusty): importance |
Undecided |
Medium |
|
2015-11-04 22:11:21 |
Mathew Hodson |
unity (Ubuntu): importance |
Medium |
High |
|
2015-11-04 22:11:23 |
Mathew Hodson |
unity (Ubuntu Trusty): importance |
Medium |
High |
|