Re: Ubuntu 14.04: security problem in the lock screen

[Marc Deslauriers <marc.deslauriers () canonical com>]

Hi,

On 14-04-26 11:06 AM, Kurt Seifried wrote:
> https://bugs.launchpad.net/ubuntu/+source/unity/+bug/1308572
>
> Probably needs a CVE.

While that particular bug was fixed before 14.04 was released, it's probably
worth assigning a CVE to it anyway for tracking purposes, since I have now
published a security update that corrects two more lock screen bugs.

Here's a summary:

Issue #1 (Before 14.04 came out):

Marco Agnese discovered that Unity 7.2.0 incorrectly handled entry activation on
the lock screen, resulting in the lock screen crashing and the session becoming
unlocked.

Reference:
https://bugs.launchpad.net/ubuntu/+source/unity/+bug/1308572
http://bazaar.launchpad.net/~unity-team/unity/trunk/revision/3787

Issue #2:

Giovanni Mellini discovered that Unity 7.2.0 could display the Dash in certain
conditions when the screen was locked. A local attacker could possibly use
this issue to run commands, and unlock the current session.

Reference:
https://bugs.launchpad.net/ubuntu/+source/unity/+bug/1308850
http://bazaar.launchpad.net/~unity-team/unity/trunk/revision/3789
http://www.ubuntu.com/usn/usn-2184-1/

Issue #3:

Frédéric Bardy discovered that Unity 7.2.0 incorrectly filtered keyboard
shortcuts when the screen was locked. A local attacker could possibly use
this issue to run commands, and unlock the current session.

Reference:
https://bugs.launchpad.net/ubuntu/+source/unity/+bug/1313885
https://code.launchpad.net/~3v1n0/unity/lockscreen-keys-disable/+merge/217528
http://www.ubuntu.com/usn/usn-2184-1/


Could CVEs please be assigned to these three issues?

Thanks!

Marc.

-- 
Marc Deslauriers
Ubuntu Security Engineer     | http://www.ubuntu.com/
Canonical Ltd.               | http://www.canonical.com/