touch-packages team mailing list archive

[James Hunt <1345505@xxxxxxxxxxxxxxxxxx>]

*** This bug is a security vulnerability ***

Public security bug reported:

When my machine comes out of suspend, I am shown the lightdm greeter.
However, occasionally I am unable to enter my password since the
password box is not given focus. Clicking with the mouse in the password
box also doesn't help.

I've found that clicking the settings cog (top right) twice allows me to
regain control of the focus and enter my password.

Aside from the inability to enter my password in the password box, it
seems that simply typing my password (or in fact any text) results in
those keystrokes being passed to the full-screen window *behind* the
greeter. This should not be possible and is a security issue: imagine if
my full-screen console was connected to a remote shared session, or was
running an irc client, etc.).

ProblemType: Bug
DistroRelease: Ubuntu 14.10
Package: lightdm 1.11.4-0ubuntu1
ProcVersionSignature: Ubuntu 3.16.0-4.9-generic 3.16.0-rc5
Uname: Linux 3.16.0-4-generic x86_64
ApportVersion: 2.14.4-0ubuntu2
Architecture: amd64
CurrentDesktop: Unity
Date: Sun Jul 20 09:08:47 2014
InstallationDate: Installed on 2014-04-11 (99 days ago)
InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Daily amd64 (20140409)
SourcePackage: lightdm
UpgradeStatus: Upgraded to utopic on 2014-05-08 (72 days ago)

** Affects: lightdm (Ubuntu)
     Importance: High
         Status: New


** Tags: amd64 apport-bug third-party-packages utopic

** Information type changed from Public to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1345505

Title:
  lightdm leaks keystrokes to window "behind" greeter

Status in “lightdm” package in Ubuntu:
  New

Bug description:
  When my machine comes out of suspend, I am shown the lightdm greeter.
  However, occasionally I am unable to enter my password since the
  password box is not given focus. Clicking with the mouse in the
  password box also doesn't help.

  I've found that clicking the settings cog (top right) twice allows me
  to regain control of the focus and enter my password.

  Aside from the inability to enter my password in the password box, it
  seems that simply typing my password (or in fact any text) results in
  those keystrokes being passed to the full-screen window *behind* the
  greeter. This should not be possible and is a security issue: imagine
  if my full-screen console was connected to a remote shared session, or
  was running an irc client, etc.).

  ProblemType: Bug
  DistroRelease: Ubuntu 14.10
  Package: lightdm 1.11.4-0ubuntu1
  ProcVersionSignature: Ubuntu 3.16.0-4.9-generic 3.16.0-rc5
  Uname: Linux 3.16.0-4-generic x86_64
  ApportVersion: 2.14.4-0ubuntu2
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Sun Jul 20 09:08:47 2014
  InstallationDate: Installed on 2014-04-11 (99 days ago)
  InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Daily amd64 (20140409)
  SourcePackage: lightdm
  UpgradeStatus: Upgraded to utopic on 2014-05-08 (72 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1345505/+subscriptions