← Back to team overview

dx-packages team mailing list archive

[Bug 1413790] Update Released

 

The verification of the Stable Release Update for unity has completed
successfully and the package has now been released to -updates.
Subsequently, the Ubuntu Stable Release Updates Team is being
unsubscribed and will not receive messages about this bug report.  In
the event that you encounter a regression using the package from
-updates please report a new bug using ubuntu-bug and tag the bug report
regression-update so we can easily find any regressions.

-- 
You received this bug notification because you are a member of DX
Packages, which is subscribed to unity in Ubuntu.
Matching subscriptions: dx-packages
https://bugs.launchpad.net/bugs/1413790

Title:
  It's possible to bypasss lockscreen if user is in nopasswdlogin group.

Status in Unity:
  Fix Released
Status in Unity 7.2 series:
  In Progress
Status in unity package in Ubuntu:
  Fix Released
Status in unity source package in Trusty:
  Fix Released

Bug description:
  [IMPACT]
  A user is presented with a password dialog even if a member of the nopasswdlogin group (and may not have a password).

  [TEST CASE]

  (1) Create a test user.
  (2) Add the test user to the nopasswdlogin group.
  (3) Log in to a Unity session using that acocunt.
  (4) Lock the screen.
  (5) Attempt to unlock the screen:  no password prompt should be presented.

  [REGRESSION POTENTIAL]

  Conceivably allowing a login with no authentication could present
  unexpected vulnerabilities in which unforseen code paths also exercise
  this function.  Care has been taken by the developer to avoid such
  cases.

  [OTHER INFO]

  The fix for Ubuntu 14.04 LTS was cherry picked from the Ubuntu "Vivid
  Vervet" dev release where it has been in production use for some time
  without apparent regression.

To manage notifications about this bug go to:
https://bugs.launchpad.net/unity/+bug/1413790/+subscriptions