Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 3 May 2014 03:10:35 -0400 (EDT)
From: cve-assign@...re.org
To: marc.deslauriers@...onical.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: Ubuntu 14.04: security problem in the lock screen

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Issues #1, #2, and #3 are clearly within the scope of CVE, and have
their CVE IDs below. The common theme is "the user intended to lock
the screen, the UI indicates that the screen is successfully locked,
the user physically leaves, but this locking can then be bypassed by a
physically present attacker."

Two of the other bugs referenced within pages for #1, #2, and #3 are

  https://bugs.launchpad.net/ubuntu/+source/unity/+bug/1308572/comments/6

and

  https://bugs.launchpad.net/ubuntu/+source/gnome-screensaver/+bug/49579

Quite possibly, these should also have CVE IDs, but there are
potentially valid counterarguments. First, at a high level, neither of
these matches the "common theme" described above.

For 1308572/comments/6, one counterargument is that a user isn't
entitled to expect that screen locking will continue to work
flawlessly if he decides to kill arbitrary processes that are, more or
less, related to screen/display functionality. Also, the risk is very
low in the sense that, before a user physically left, it would usually
be obvious that the screen was not successfully locked. However, there
is conceivably a scenario in which killing compiz is a supported (or,
at least, reasonable) user activity, and the user must leave
immediately after a screen-locking attempt without waiting even a few
seconds.

For 49579, there are many ways to summarize the long discussion: here
is one of them. A typical end user may expect that automatic screen
locking succeeds regardless of what the user had been doing (e.g., if
the user was in the middle of a menu operation). A developer may
expect that automatic screen locking succeeds in cases where the
implementation is achievable in a reasonable amount of time. There are
(at least) three possible conclusions:

  1. The end user wins. This is a vulnerability regardless of what
     documentation exists, because it is unreasonable to expect an end
     user to learn about the failure conditions.

  2. This is a vulnerability if the documentation is not "good
     enough." For example, if the only documentation is bug 49579
     itself, maybe that's not enough.

  3. The developer wins. This is never a vulnerability. Yes, it would
     be nice for automatic screen locking to succeed in more cases,
     but this is not a high-value security feature for all users, and
     it's OK for development to use a "reasonable effort" approach
     rather than a "must cover every possible case at all costs"
     approach.


> Issue #1 (Before 14.04 came out):
> 
> Marco Agnese discovered that Unity 7.2.0 incorrectly handled entry activation on
> the lock screen, resulting in the lock screen crashing and the session becoming
> unlocked.
> 
> Reference:
> https://bugs.launchpad.net/ubuntu/+source/unity/+bug/1308572
> http://bazaar.launchpad.net/~unity-team/unity/trunk/revision/3787

Use CVE-2014-3202.


> Issue #2:
> 
> Giovanni Mellini discovered that Unity 7.2.0 could display the Dash in certain
> conditions when the screen was locked. A local attacker could possibly use
> this issue to run commands, and unlock the current session.
> 
> Reference:
> https://bugs.launchpad.net/ubuntu/+source/unity/+bug/1308850
> http://bazaar.launchpad.net/~unity-team/unity/trunk/revision/3789
> http://www.ubuntu.com/usn/usn-2184-1/

Use CVE-2014-3203.


> Issue #3:
> 
> Frederic Bardy discovered that Unity 7.2.0 incorrectly filtered keyboard
> shortcuts when the screen was locked. A local attacker could possibly use
> this issue to run commands, and unlock the current session.
> 
> Reference:
> https://bugs.launchpad.net/ubuntu/+source/unity/+bug/1313885
> https://code.launchpad.net/~3v1n0/unity/lockscreen-keys-disable/+merge/217528
> http://www.ubuntu.com/usn/usn-2184-1/

Use CVE-2014-3204.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTZJVNAAoJEKllVAevmvms96YH/iwHSHG581FZ0v2fAjEEqXlP
aAi1Fy65ejwxP1mEnpgw15p9mu8OTD1vYNn4+ibdvQ/MuGKuS/uSsTeH6vixhB/f
U4SmcOqTGc0ejEiRIG9Pf1CoLZnP8fYuwPRYKuF4ah8AZKNbfnwmL3AO8/SaUtN2
7E/f+KuajcUOvbKBTcANPffILUufyNSzXWc+DxsRcNYjaDs9K4B5VDLZbT8NbquB
rUFWPPhiAWFlKq+XAz6uLLcKug8L775xhbB60iPzhYa6tqatuJSuHm9CGb/5HwJT
NXK8VyfaPfg+/iTzyjNHNO8wKq6QdlM9C3Qn6hyBIhUTa37WjnSqVBpPtQMwCzg=
=kdSf
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.