Critical security control bypass (lock screen)

Bug #1611251 reported by Dmytro Korzhevin
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
unity (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Next info provided on behalf of Crytek CERT:

Due to bug in screenlock implementation in latest Ubuntu 16.04.1 LTS, it is possible to crash screenlock with a short timeslot in ~1.5 seconds, during which you can interact with programs on desktop.

Requirements:
  2 languages (EN, RU)
  Language switch shortcut: LCtrl+LShift

Steps to reproduce:
  Lock screen with Super+L
  Press LCtrl+LShift to switch language, and during crash of screenlock, right click on desktop to hover context menu - this will expand timeslot up to 3 seconds

Additional info with all available logs will be added.
---
.tmp.unity_support_test.1:

ApportVersion: 2.20.1-0ubuntu2.1
Architecture: amd64
CompizPlugins: No value set for `/apps/compiz-1/general/screen0/options/active_plugins'
CompositorRunning: compiz
CompositorUnredirectDriverBlacklist: '(nouveau|Intel).*Mesa 8.0'
CompositorUnredirectFSW: true
DistUpgraded: Fresh install
DistroCodename: xenial
DistroRelease: Ubuntu 16.04
DistroVariant: ubuntu
EcryptfsInUse: Yes
GraphicsCard: InnoTek Systemberatung GmbH VirtualBox Graphics Adapter [80ee:beef] (prog-if 00 [VGA controller])
InstallationDate: Installed on 2016-08-09 (0 days ago)
InstallationMedia: Ubuntu 16.04.1 LTS "Xenial Xerus" - Release amd64 (20160719)
Lsusb:
 Bus 001 Device 002: ID 80ee:0021 VirtualBox USB Tablet
 Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
MachineType: innotek GmbH VirtualBox
Package: unity 7.4.0+16.04.20160715-0ubuntu1
PackageArchitecture: amd64
ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.4.0-34-generic root=/dev/mapper/ubuntu--vg-root ro quiet splash
ProcVersionSignature: Ubuntu 4.4.0-34.53-generic 4.4.15
Renderer: Software
Tags: xenial xenial xenial ubuntu compiz-0.9
Uname: Linux 4.4.0-34-generic x86_64
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups:

_MarkForUpload: True
dmi.bios.date: 12/01/2006
dmi.bios.vendor: innotek GmbH
dmi.bios.version: VirtualBox
dmi.board.name: VirtualBox
dmi.board.vendor: Oracle Corporation
dmi.board.version: 1.2
dmi.chassis.type: 1
dmi.chassis.vendor: Oracle Corporation
dmi.modalias: dmi:bvninnotekGmbH:bvrVirtualBox:bd12/01/2006:svninnotekGmbH:pnVirtualBox:pvr1.2:rvnOracleCorporation:rnVirtualBox:rvr1.2:cvnOracleCorporation:ct1:cvr:
dmi.product.name: VirtualBox
dmi.product.version: 1.2
dmi.sys.vendor: innotek GmbH
version.compiz: compiz 1:0.9.12.2+16.04.20160714-0ubuntu1
version.ia32-libs: ia32-libs N/A
version.libdrm2: libdrm2 2.4.67-1ubuntu0.16.04.1
version.libgl1-mesa-dri: libgl1-mesa-dri 11.2.0-1ubuntu2.1
version.libgl1-mesa-dri-experimental: libgl1-mesa-dri-experimental N/A
version.libgl1-mesa-glx: libgl1-mesa-glx 11.2.0-1ubuntu2.1
version.xserver-xorg-core: xserver-xorg-core 2:1.18.3-1ubuntu2.3
version.xserver-xorg-input-evdev: xserver-xorg-input-evdev 1:2.10.1-1ubuntu2
version.xserver-xorg-video-ati: xserver-xorg-video-ati 1:7.7.0-1
version.xserver-xorg-video-intel: xserver-xorg-video-intel 2:2.99.917+git20160325-1ubuntu1
version.xserver-xorg-video-nouveau: xserver-xorg-video-nouveau 1:1.0.12-1build2

Revision history for this message
Dmytro Korzhevin (korg) wrote :

And, with better quality:

https://youtu.be/RwVoOSdAqZ4

Revision history for this message
Dmytro Korzhevin (korg) wrote : BootLog.txt

apport information

tags: added: apport-collected compiz-0.9 ubuntu xenial
description: updated
Revision history for this message
Dmytro Korzhevin (korg) wrote : CurrentDmesg.txt

apport information

Revision history for this message
Dmytro Korzhevin (korg) wrote : Dependencies.txt

apport information

Revision history for this message
Dmytro Korzhevin (korg) wrote : DpkgLog.txt

apport information

Revision history for this message
Dmytro Korzhevin (korg) wrote : GsettingsChanges.txt

apport information

Revision history for this message
Dmytro Korzhevin (korg) wrote : JournalErrors.txt

apport information

Revision history for this message
Dmytro Korzhevin (korg) wrote : LightdmDisplayLog.txt

apport information

Revision history for this message
Dmytro Korzhevin (korg) wrote : LightdmLog.txt

apport information

Revision history for this message
Dmytro Korzhevin (korg) wrote : Lspci.txt

apport information

Revision history for this message
Dmytro Korzhevin (korg) wrote : MonitorsUser.xml.txt

apport information

Revision history for this message
Dmytro Korzhevin (korg) wrote : ProcCpuinfo.txt

apport information

Revision history for this message
Dmytro Korzhevin (korg) wrote : ProcEnviron.txt

apport information

Revision history for this message
Dmytro Korzhevin (korg) wrote : ProcInterrupts.txt

apport information

Revision history for this message
Dmytro Korzhevin (korg) wrote : ProcModules.txt

apport information

Revision history for this message
Dmytro Korzhevin (korg) wrote : UdevDb.txt

apport information

Revision history for this message
Dmytro Korzhevin (korg) wrote : UnitySupportTest.txt

apport information

Revision history for this message
Dmytro Korzhevin (korg) wrote : XorgLog.txt

apport information

Revision history for this message
Dmytro Korzhevin (korg) wrote : XorgLogOld.txt

apport information

Revision history for this message
Dmytro Korzhevin (korg) wrote : Xrandr.txt

apport information

Revision history for this message
Dmytro Korzhevin (korg) wrote : upstart.unity-panel-service.log.txt

apport information

Revision history for this message
Dmytro Korzhevin (korg) wrote : upstart.unity7.log.txt

apport information

Revision history for this message
Dmytro Korzhevin (korg) wrote : xdpyinfo.txt

apport information

Dmytro Korzhevin (korg)
information type: Private Security → Public Security
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in unity (Ubuntu):
status: New → Confirmed
Revision history for this message
First (a13x-prinz) wrote :
Revision history for this message
Dmytro Korzhevin (korg) wrote :

Fix confirmation from Crytek CERT team with SRU updates for unity (7.4.0+16.04.20160801.2-0ubuntu1) and related packages:

compiz-core (1:0.9.12.2+16.04.20160801.3-0ubuntu1)
libcompizconfig0:amd64 (1:0.9.12.2+16.04.20160801.3-0ubuntu1)
libdecoration0:amd64 (1:0.9.12.2+16.04.20160801.3-0ubuntu1)
compiz-plugins-default:amd64 (1:0.9.12.2+16.04.20160801.3-0ubuntu1)
compiz-gnome (1:0.9.12.2+16.04.20160801.3-0ubuntu1)
compiz (1:0.9.12.2+16.04.20160801.3-0ubuntu1)
libframe6:amd64 (2.5.0daily13.06.05+16.04.20160809-0ubuntu1)
unity-services (7.4.0+16.04.20160801.2-0ubuntu1)
unity-schemas (7.4.0+16.04.20160801.2-0ubuntu1)
libunity-core-6.0-9:amd64 (7.4.0+16.04.20160801.2-0ubuntu1)

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.