Lock screen doesn't emit ActiveChanged signal

Bug #1438870 reported by Marc Deslauriers on 2015-03-31
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Unity
Won't Fix
High
Unassigned
unity-settings-daemon (Ubuntu)
High
Marco Trevisan (Treviño)
Trusty
High
Marc Deslauriers

Bug Description

tl;dr; Unity doesn't emit the ActiveChanged signal when the screen is locked/unlocked

Long version:

unity-settings-daemon's automount plugin has code to detect whether the screen is locked or not before automatically mounting a volume. This prevents someone from inserting a USB thumb drive when the screen is locked and exploiting a possible nautilus thumbnailer vulnerability. (See bug #714958 for original implementation details.)

In Ubuntu 14.04, this code no longer works. Inserting a USB thumb drive while the screen is locked results in a Nautilus window opening underneath the lock screen, and the contents of the USB thumb drive being read.

Since the screen lock got switched to Unity in Ubuntu 14.04, Unity no longer emits the org.gnome.ScreenSaver ActiveChanged signal when the screen gets locked or unlocked.

To test:

1- in terminal, type:
dbus-monitor "type='signal',sender='org.gnome.ScreenSaver',interface='org.gnome.ScreenSaver'"
2- Lock the screen
3- Unlock the screen
4- Notice that no signal was received

ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: unity 7.3.2+15.04.20150330-0ubuntu1
ProcVersionSignature: Ubuntu 3.19.0-10.10-generic 3.19.2
Uname: Linux 3.19.0-10-generic x86_64
ApportVersion: 2.17-0ubuntu1
Architecture: amd64
CompizPlugins: No value set for `/apps/compiz-1/general/screen0/options/active_plugins'
CurrentDesktop: Unity
Date: Tue Mar 31 15:15:48 2015
InstallationDate: Installed on 2013-11-26 (489 days ago)
InstallationMedia: Ubuntu 13.10 "Saucy Salamander" - Release amd64 (20131016.1)
SourcePackage: unity
UpgradeStatus: Upgraded to vivid on 2015-03-07 (24 days ago)

Marc Deslauriers (mdeslaur) wrote :
tags: added: lockscreen
Changed in unity (Ubuntu Trusty):
importance: Undecided → High
Changed in unity:
importance: Undecided → High
Changed in unity (Ubuntu Vivid):
importance: Undecided → High
Changed in unity (Ubuntu Utopic):
importance: Undecided → High
Marc Deslauriers (mdeslaur) wrote :

This is CVE-2015-1319

Mh, I think we should fix the problem in unity-settings-daemon, by connecting at the com.canonical.Unity.Session.Locked signal instead.

Since in unity the screensaver != lockscreen, and we emit the org.gnome.ScreenSaver.ActiveChanged only when the screensaver is shown (and this generally happens after that the lockscreen has been configured).

Changed in unity-settings-daemon (Ubuntu):
status: New → Triaged
Changed in unity-settings-daemon (Ubuntu Trusty):
status: New → Triaged
Changed in unity-settings-daemon (Ubuntu Utopic):
status: New → Triaged
Changed in unity-settings-daemon (Ubuntu Vivid):
status: New → Triaged
Changed in unity (Ubuntu Trusty):
status: New → Won't Fix
Changed in unity (Ubuntu Utopic):
status: New → Won't Fix
Changed in unity-settings-daemon (Ubuntu):
importance: Undecided → High
Changed in unity-settings-daemon (Ubuntu Trusty):
importance: Undecided → High
Changed in unity-settings-daemon (Ubuntu Utopic):
importance: Undecided → High
Changed in unity-settings-daemon (Ubuntu Vivid):
importance: Undecided → High
Changed in unity (Ubuntu):
status: New → Triaged
Changed in unity (Ubuntu Trusty):
status: Won't Fix → Triaged
Changed in unity (Ubuntu Utopic):
status: Won't Fix → Triaged
Changed in unity (Ubuntu Vivid):
status: New → Triaged
Changed in unity:
status: New → Confirmed
Changed in unity (Ubuntu Vivid):
status: Triaged → Won't Fix
Changed in unity (Ubuntu):
status: Triaged → Won't Fix
Changed in unity (Ubuntu Trusty):
status: Triaged → Won't Fix
Changed in unity (Ubuntu Utopic):
status: Triaged → Won't Fix
Changed in unity-settings-daemon (Ubuntu):
assignee: nobody → Marco Trevisan (Treviño) (3v1n0)
Changed in unity-settings-daemon (Ubuntu Utopic):
assignee: nobody → Marco Trevisan (Treviño) (3v1n0)
Changed in unity-settings-daemon (Ubuntu Vivid):
assignee: nobody → Marco Trevisan (Treviño) (3v1n0)
Changed in unity-settings-daemon (Ubuntu Trusty):
status: Triaged → In Progress
Changed in unity-settings-daemon (Ubuntu Utopic):
status: Triaged → In Progress
Changed in unity-settings-daemon (Ubuntu):
status: Triaged → In Progress
Changed in unity-settings-daemon (Ubuntu Vivid):
status: Triaged → In Progress
Changed in unity-settings-daemon (Ubuntu Trusty):
assignee: nobody → Marco Trevisan (Treviño) (3v1n0)
Changed in unity (Ubuntu):
status: Won't Fix → Confirmed
no longer affects: unity (Ubuntu)
no longer affects: unity (Ubuntu Trusty)
no longer affects: unity (Ubuntu Utopic)
no longer affects: unity (Ubuntu Vivid)
tags: added: trusty
no longer affects: unity-settings-daemon (Ubuntu Utopic)
Changed in unity (Ubuntu):
status: New → Confirmed
importance: Undecided → High
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unity-settings-daemon - 15.04.1+15.10.20150630.1-0ubuntu1

---------------
unity-settings-daemon (15.04.1+15.10.20150630.1-0ubuntu1) wily; urgency=medium

  [ CI Train Bot ]
  * New rebuild forced.

  [ Dmitry Shachnev ]
  * xsettings: fix some settings not being updated with the latest glib

  [ Marco Trevisan (Treviño) ]
  * AutoMount: also try to connect to Unity Session and delay automounts
    when locked (LP: #1438870)

 -- CI Train Bot <email address hidden> Tue, 30 Jun 2015 15:48:02 +0000

Changed in unity-settings-daemon (Ubuntu):
status: In Progress → Fix Released
Changed in unity (Ubuntu):
assignee: nobody → Marco Trevisan (Treviño) (3v1n0)
status: Confirmed → Fix Released
no longer affects: unity-settings-daemon (Ubuntu Trusty)
no longer affects: unity-settings-daemon (Ubuntu Vivid)
Changed in unity:
status: Confirmed → Won't Fix
no longer affects: unity/trusty
Changed in unity (Ubuntu):
status: Fix Released → Invalid
status: Invalid → Fix Released
Changed in unity (Ubuntu Trusty):
status: New → Fix Released
Changed in unity-settings-daemon (Ubuntu Trusty):
status: New → Confirmed
assignee: nobody → Marc Deslauriers (mdeslaur)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unity-settings-daemon - 14.04.0+14.04.20150825-0ubuntu2

---------------
unity-settings-daemon (14.04.0+14.04.20150825-0ubuntu2) trusty-security; urgency=medium

  * SECURITY UPDATE: Drives automount while screen is locked
    (LP: #1438870)
    - plugins/automount/gsd-automount-manager.c: also monitor Unity screen
      lock.
    - CVE-2015-1319

 -- Marc Deslauriers <email address hidden> Fri, 11 Sep 2015 13:44:35 -0400

Changed in unity-settings-daemon (Ubuntu Trusty):
status: Confirmed → Fix Released
Changed in unity-settings-daemon (Ubuntu Trusty):
importance: Undecided → High
no longer affects: unity (Ubuntu Trusty)
no longer affects: unity (Ubuntu)
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers