Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 29 Apr 2014 08:26:01 -0400
From: Marc Deslauriers <marc.deslauriers@...onical.com>
To: oss-security@...ts.openwall.com
Subject: Re: Ubuntu 14.04: security problem in the lock screen

Hi,

On 14-04-26 11:06 AM, Kurt Seifried wrote:
> https://bugs.launchpad.net/ubuntu/+source/unity/+bug/1308572
> 
> Probably needs a CVE.
> 

While that particular bug was fixed before 14.04 was released, it's probably
worth assigning a CVE to it anyway for tracking purposes, since I have now
published a security update that corrects two more lock screen bugs.

Here's a summary:

Issue #1 (Before 14.04 came out):

Marco Agnese discovered that Unity 7.2.0 incorrectly handled entry activation on
the lock screen, resulting in the lock screen crashing and the session becoming
unlocked.

Reference:
https://bugs.launchpad.net/ubuntu/+source/unity/+bug/1308572
http://bazaar.launchpad.net/~unity-team/unity/trunk/revision/3787

Issue #2:

Giovanni Mellini discovered that Unity 7.2.0 could display the Dash in certain
conditions when the screen was locked. A local attacker could possibly use
this issue to run commands, and unlock the current session.

Reference:
https://bugs.launchpad.net/ubuntu/+source/unity/+bug/1308850
http://bazaar.launchpad.net/~unity-team/unity/trunk/revision/3789
http://www.ubuntu.com/usn/usn-2184-1/

Issue #3:

Frédéric Bardy discovered that Unity 7.2.0 incorrectly filtered keyboard
shortcuts when the screen was locked. A local attacker could possibly use
this issue to run commands, and unlock the current session.

Reference:
https://bugs.launchpad.net/ubuntu/+source/unity/+bug/1313885
https://code.launchpad.net/~3v1n0/unity/lockscreen-keys-disable/+merge/217528
http://www.ubuntu.com/usn/usn-2184-1/


Could CVEs please be assigned to these three issues?

Thanks!

Marc.

-- 
Marc Deslauriers
Ubuntu Security Engineer     | http://www.ubuntu.com/
Canonical Ltd.               | http://www.canonical.com/

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ