Date: Tue, 29 Apr 2014 08:26:01 -0400 From: Marc Deslauriers <marc.deslauriers@...onical.com> To: oss-security@...ts.openwall.com Subject: Re: Ubuntu 14.04: security problem in the lock screen Hi, On 14-04-26 11:06 AM, Kurt Seifried wrote: > https://bugs.launchpad.net/ubuntu/+source/unity/+bug/1308572 > > Probably needs a CVE. > While that particular bug was fixed before 14.04 was released, it's probably worth assigning a CVE to it anyway for tracking purposes, since I have now published a security update that corrects two more lock screen bugs. Here's a summary: Issue #1 (Before 14.04 came out): Marco Agnese discovered that Unity 7.2.0 incorrectly handled entry activation on the lock screen, resulting in the lock screen crashing and the session becoming unlocked. Reference: https://bugs.launchpad.net/ubuntu/+source/unity/+bug/1308572 http://bazaar.launchpad.net/~unity-team/unity/trunk/revision/3787 Issue #2: Giovanni Mellini discovered that Unity 7.2.0 could display the Dash in certain conditions when the screen was locked. A local attacker could possibly use this issue to run commands, and unlock the current session. Reference: https://bugs.launchpad.net/ubuntu/+source/unity/+bug/1308850 http://bazaar.launchpad.net/~unity-team/unity/trunk/revision/3789 http://www.ubuntu.com/usn/usn-2184-1/ Issue #3: Frédéric Bardy discovered that Unity 7.2.0 incorrectly filtered keyboard shortcuts when the screen was locked. A local attacker could possibly use this issue to run commands, and unlock the current session. Reference: https://bugs.launchpad.net/ubuntu/+source/unity/+bug/1313885 https://code.launchpad.net/~3v1n0/unity/lockscreen-keys-disable/+merge/217528 http://www.ubuntu.com/usn/usn-2184-1/ Could CVEs please be assigned to these three issues? Thanks! Marc. -- Marc Deslauriers Ubuntu Security Engineer | http://www.ubuntu.com/ Canonical Ltd. | http://www.canonical.com/
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ