17.04: GDM lock screen can be circumvented when autologin is set
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| gdm |
Fix Released
|
Medium
|
|||
| gdm3 (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Bug Description
Test Case
=========
Steps to Reproduce:
1. From Ubuntu GNOME 17.04, open the Settings app.
2. Click User Accounts then Unlock then turn on Automatic Login for your account
3. Reboot
4. Lock screen (there is a lock button in the system status menu in the right of the top bar)
5. Click the log in as another user button below the password prompt.
Actual results:
The screen unlocks without a password being entered.
Expected results:
A selection of other accounts is shown.
Testing Done
============
I confirmed that the test case succeeds with a locally built package using the provided debdiff.
Other Info
==========
Cherry-picking this commit:
https:/
Introduced in
https:/
Therefore, this should only affect Ubuntu 17.04. Ubuntu GNOME was the only Ubuntu flavor to ship GDM by default in 17.04.
CVE References
| Jeremy Bícha (jbicha) wrote | #1 |
| Changed in gdm3 (Ubuntu): | |
| status: | New → Confirmed |
| description: | updated |
| tags: |
added: zesty removed: artul |
| description: | updated |
| Changed in gdm3 (Ubuntu): | |
| importance: | Undecided → High |
| status: | Confirmed → Triaged |
| Changed in gdm: | |
| importance: | Unknown → Medium |
| status: | Unknown → Fix Released |
| Marc Deslauriers (mdeslaur) wrote | #2 |
| Launchpad Janitor (janitor) wrote | #3 |
| Changed in gdm3 (Ubuntu): | |
| status: | Triaged → Fix Released |
debdiff attached