desktop-packages team mailing list archive

[Marc Deslauriers <marc.deslauriers@xxxxxxxxxxxxx>]

*** This bug is a security vulnerability ***

Public security bug reported:

tl;dr; Unity doesn't emit the ActiveChanged signal when the screen is
locked/unlocked

Long version:

unity-settings-daemon's automount plugin has code to detect whether the
screen is locked or not before automatically mounting a volume. This
prevents someone from inserting a USB thumb drive when the screen is
locked and exploiting a possible nautilus thumbnailer vulnerability.
(See bug #714958 for original implementation details.)

In Ubuntu 14.04, this code no longer works. Inserting a USB thumb drive
while the screen is locked results in a Nautilus window opening
underneath the lock screen, and the contents of the USB thumb drive
being read.

Since the screen lock got switched to Unity in Ubuntu 14.04, Unity no
longer emits the org.gnome.ScreenSaver ActiveChanged signal when the
screen gets locked or unlocked.

To test:

1- in terminal, type:
dbus-monitor "type='signal',sender='org.gnome.ScreenSaver',interface='org.gnome.ScreenSaver'"
2- Lock the screen
3- Unlock the screen
4- Notice that no signal was received

ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: unity 7.3.2+15.04.20150330-0ubuntu1
ProcVersionSignature: Ubuntu 3.19.0-10.10-generic 3.19.2
Uname: Linux 3.19.0-10-generic x86_64
ApportVersion: 2.17-0ubuntu1
Architecture: amd64
CompizPlugins: No value set for `/apps/compiz-1/general/screen0/options/active_plugins'
CurrentDesktop: Unity
Date: Tue Mar 31 15:15:48 2015
InstallationDate: Installed on 2013-11-26 (489 days ago)
InstallationMedia: Ubuntu 13.10 "Saucy Salamander" - Release amd64 (20131016.1)
SourcePackage: unity
UpgradeStatus: Upgraded to vivid on 2015-03-07 (24 days ago)

** Affects: unity (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: unity (Ubuntu Trusty)
     Importance: Undecided
         Status: New

** Affects: unity (Ubuntu Utopic)
     Importance: Undecided
         Status: New

** Affects: unity (Ubuntu Vivid)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug third-party-packages vivid

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to unity in Ubuntu.
Matching subscriptions: dp-unity
https://bugs.launchpad.net/bugs/1438870

Title:
  Lock screen doesn't emit ActiveChanged signal

Status in unity package in Ubuntu:
  New
Status in unity source package in Trusty:
  New
Status in unity source package in Utopic:
  New
Status in unity source package in Vivid:
  New

Bug description:
  tl;dr; Unity doesn't emit the ActiveChanged signal when the screen is
  locked/unlocked

  Long version:

  unity-settings-daemon's automount plugin has code to detect whether
  the screen is locked or not before automatically mounting a volume.
  This prevents someone from inserting a USB thumb drive when the screen
  is locked and exploiting a possible nautilus thumbnailer
  vulnerability. (See bug #714958 for original implementation details.)

  In Ubuntu 14.04, this code no longer works. Inserting a USB thumb
  drive while the screen is locked results in a Nautilus window opening
  underneath the lock screen, and the contents of the USB thumb drive
  being read.

  Since the screen lock got switched to Unity in Ubuntu 14.04, Unity no
  longer emits the org.gnome.ScreenSaver ActiveChanged signal when the
  screen gets locked or unlocked.

  To test:

  1- in terminal, type:
  dbus-monitor "type='signal',sender='org.gnome.ScreenSaver',interface='org.gnome.ScreenSaver'"
  2- Lock the screen
  3- Unlock the screen
  4- Notice that no signal was received

  ProblemType: Bug
  DistroRelease: Ubuntu 15.04
  Package: unity 7.3.2+15.04.20150330-0ubuntu1
  ProcVersionSignature: Ubuntu 3.19.0-10.10-generic 3.19.2
  Uname: Linux 3.19.0-10-generic x86_64
  ApportVersion: 2.17-0ubuntu1
  Architecture: amd64
  CompizPlugins: No value set for `/apps/compiz-1/general/screen0/options/active_plugins'
  CurrentDesktop: Unity
  Date: Tue Mar 31 15:15:48 2015
  InstallationDate: Installed on 2013-11-26 (489 days ago)
  InstallationMedia: Ubuntu 13.10 "Saucy Salamander" - Release amd64 (20131016.1)
  SourcePackage: unity
  UpgradeStatus: Upgraded to vivid on 2015-03-07 (24 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/unity/+bug/1438870/+subscriptions