dx-packages team mailing list archive
-
dx-packages team
-
Mailing list archive
-
Message #31077
[Bug 1413790] Re: It's possible to bypasss lockscreen if user is in nopasswdlogin group.
Hello Andrea, or anyone else affected,
Accepted unity into trusty-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/unity/7.2.4+14.04.20150316-0ubuntu1
in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed. Your feedback will aid us getting this update
out to other Ubuntu users.
If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed. In either case, details of your testing will help
us make a better decision.
Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in
advance!
** Changed in: unity (Ubuntu Trusty)
Status: In Progress => Fix Committed
** Tags added: verification-needed
--
You received this bug notification because you are a member of DX
Packages, which is subscribed to unity in Ubuntu.
Matching subscriptions: dx-packages
https://bugs.launchpad.net/bugs/1413790
Title:
It's possible to bypasss lockscreen if user is in nopasswdlogin group.
Status in Unity:
Fix Released
Status in Unity 7.2 series:
In Progress
Status in unity package in Ubuntu:
Fix Released
Status in unity source package in Trusty:
Fix Committed
Bug description:
[IMPACT]
A user is presented with a password dialog even if a member of the nopasswdlogin group (and may not have a password).
[TEST CASE]
(1) Create a test user.
(2) Add the test user to the nopasswdlogin group.
(3) Log in to a Unity session using that acocunt.
(4) Lock the screen.
(5) Attempt to unlock the screen: no password prompt should be presented.
[REGRESSION POTENTIAL]
Conceivably allowing a login with no authentication could present
unexpected vulnerabilities in which unforseen code paths also exercise
this function. Care has been taken by the developer to avoid such
cases.
[OTHER INFO]
The fix for Ubuntu 14.04 LTS was cherry picked from the Ubuntu "Vivid
Vervet" dev release where it has been in production use for some time
without apparent regression.
To manage notifications about this bug go to:
https://bugs.launchpad.net/unity/+bug/1413790/+subscriptions