dx-packages team mailing list archive

["Stephen M. Webb" <stephen.webb@xxxxxxxxxxxxx>]

Attached debdiff between trusty-updates and SRU.

** Description changed:

- Hi,
+ [Impact and Test Case]
  
  Steps to reproduce:
  1 - Lock the screen
  2 - From the lockscreen, tell the computer to shut down / restart
  
  Expected behavior:
  * Session programs are closed while the screen is still locked
  * During shutdown, no user interaction is possible
  
  Observed behavior:
  * The lockscreen is gone immediately, with the rest of compiz (e.g. window decorations are not present)
  * But it's possible to interact with programs that are still running in the session for about 3 seconds
  
  Observed on an updated Trusty machine, running unity version
  7.2.2+14.04.20140714-0ubuntu1.1
  
  I consider this bug a security vulnerability because during those 3
  seconds it could be possible to access and interact with sensitive
  information.  Yes, it's short, but you could take a picture or even rm
  -rf / if there happened to be a root console available.
+ 
+ [Regression Potential]
+ 
+ An improper implementation of the fix for this issue could result in an
+ indefinite hang during system shutdown, or could result in the problem
+ not being completely fixed and the security vulnerability continuing.
+ 
+ Neither appear to be the case.
+ 
+ [ Other Info ]
+ 
+ The Ubuntu 14.04 LTS SRU has been cherry-picked from upstream Unity
+ where it has been in development-level production code in Ubuntu 'Vivid
+ Vervet' development release for a few months and has not display
+ additional problems.

** Patch added: "debdiff between unity_7.2.3+14.04.20140826-0ubuntu1 and unity_7.2.4+14.04.20141217-0ubuntu1"
   https://bugs.launchpad.net/ubuntu/+source/unity/+bug/1370017/+attachment/4289404/+files/unity_7.2.4%2B14.04.20141217-0ubuntu1.debdiff

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of DX
Packages, which is subscribed to unity in Ubuntu.
Matching subscriptions: dx-packages
https://bugs.launchpad.net/bugs/1370017

Title:
  Unity Lockscreen shows unlocked desktop while shutting down

Status in Unity:
  Fix Committed
Status in Unity 7.2 series:
  In Progress
Status in unity package in Ubuntu:
  Fix Released

Bug description:
  [Impact and Test Case]

  Steps to reproduce:
  1 - Lock the screen
  2 - From the lockscreen, tell the computer to shut down / restart

  Expected behavior:
  * Session programs are closed while the screen is still locked
  * During shutdown, no user interaction is possible

  Observed behavior:
  * The lockscreen is gone immediately, with the rest of compiz (e.g. window decorations are not present)
  * But it's possible to interact with programs that are still running in the session for about 3 seconds

  Observed on an updated Trusty machine, running unity version
  7.2.2+14.04.20140714-0ubuntu1.1

  I consider this bug a security vulnerability because during those 3
  seconds it could be possible to access and interact with sensitive
  information.  Yes, it's short, but you could take a picture or even rm
  -rf / if there happened to be a root console available.

  [Regression Potential]

  An improper implementation of the fix for this issue could result in
  an indefinite hang during system shutdown, or could result in the
  problem not being completely fixed and the security vulnerability
  continuing.

  Neither appear to be the case.

  [ Other Info ]

  The Ubuntu 14.04 LTS SRU has been cherry-picked from upstream Unity
  where it has been in development-level production code in Ubuntu
  'Vivid Vervet' development release for a few months and has not
  display additional problems.

To manage notifications about this bug go to:
https://bugs.launchpad.net/unity/+bug/1370017/+subscriptions