[Secure-testing-team] Bug#702234: gnome-shell: Screen lock delayed on password prompt
Asterix
zzz232 at rocketmail.com
Mon Mar 4 11:33:14 UTC 2013
Package: gnome-shell
Version: 3.4.2-7
Severity: grave
Tags: security
Justification: user security hole
Dear Maintainer,
I tried to type in the password for an encrypted wireless network, and pressed
enter. I then closed my lid, expecting it to lock the screen and suspend. It
did suspend, but when I woke it up, instead of the locked screen, it was
unlocked, and there was a password prompt there (I had got the wifi password
wrong, so it had made another prompt). This meant that without the password,
someone could look at the stuff I had on my screen. When I clicked cancel, it
then locked my screen after about half a second. I found that this is the same
when gnome-shell password prompts are given for root privelages, for example
opening synaptic, and that there is this problem not only closing my lid, but
if I wait for a minute until the screen turned off. Each time, it does not lock
the screen until just after the password prompt is closed.
I would expect the screen to lock, and probably to be presented with a password
prompt upon unlocking, but it would also solve the security issue if it
canceled the prompt when going to sleep/switching the screen off.
I could not do anything effective, other than be aware of the situation,
although this is less effective when there are surprise prompts such as when
you get a password wrong.
-- System Information:
Debian Release: 7.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages gnome-shell depends on:
ii dconf-gsettings-backend [gsettings-backend] 0.12.1-3
ii gconf-service 3.2.5-1+build1
ii gir1.2-accountsservice-1.0 0.6.21-8
ii gir1.2-atk-1.0 2.4.0-2
ii gir1.2-caribou-1.0 0.4.4-1
ii gir1.2-clutter-1.0 1.10.8-2
ii gir1.2-cogl-1.0 1.10.2-6
ii gir1.2-coglpango-1.0 1.10.2-6
ii gir1.2-folks-0.6 0.6.9-1+b1
ii gir1.2-freedesktop 1.32.1-1
ii gir1.2-gconf-2.0 3.2.5-1+build1
ii gir1.2-gcr-3 3.4.1-3
ii gir1.2-gdesktopenums-3.0 3.4.2-3
ii gir1.2-gdkpixbuf-2.0 2.26.1-1
ii gir1.2-gee-1.0 0.6.4-2
ii gir1.2-gkbd-3.0 3.4.0.2-1
ii gir1.2-glib-2.0 1.32.1-1
ii gir1.2-gmenu-3.0 3.4.2-5
ii gir1.2-gnomebluetooth-1.0 3.4.2-1
ii gir1.2-gtk-3.0 3.4.2-6
ii gir1.2-json-1.0 0.14.2-1
ii gir1.2-mutter-3.0 3.4.1-5
ii gir1.2-networkmanager-1.0 0.9.4.0-10
ii gir1.2-pango-1.0 1.30.0-1
ii gir1.2-polkit-1.0 0.105-3
ii gir1.2-soup-2.4 2.38.1-2
ii gir1.2-telepathyglib-0.12 0.18.2-2
ii gir1.2-telepathylogger-0.2 0.4.0-1
ii gir1.2-upowerglib-1.0 0.9.17-1
ii gjs 1.32.0-5
ii gnome-bluetooth 3.4.2-1
ii gnome-icon-theme-symbolic 3.4.0-2
ii gnome-settings-daemon 3.4.2+git20121218.7c1322-2
ii gnome-shell-common 3.4.2-7
ii gnome-themes-standard 3.4.2-2.1
ii gsettings-desktop-schemas 3.4.2-3
ii libatk1.0-0 2.4.0-2
ii libc6 2.13-38
ii libcairo-gobject2 1.12.2-3
ii libcairo2 1.12.2-3
ii libcanberra0 0.28-6
ii libclutter-1.0-0 1.10.8-2
ii libcogl-pango0 1.10.2-6
ii libcogl9 1.10.2-6
ii libcroco3 0.6.6-2
ii libdbus-1-3 1.6.8-1
ii libdbus-glib-1-2 0.100.1-1
ii libebook-1.2-13 3.4.4-3
ii libecal-1.2-11 3.4.4-3
ii libedataserver-1.2-16 3.4.4-3
ii libedataserverui-3.0-1 3.4.4-3
ii libffi5 3.0.10-3
ii libfolks25 0.6.9-1+b1
ii libgck-1-0 3.4.1-3
ii libgconf-2-4 3.2.5-1+build1
ii libgcr-3-1 3.4.1-3
ii libgdk-pixbuf2.0-0 2.26.1-1
ii libgee2 0.6.4-2
ii libgirepository-1.0-1 1.32.1-1
ii libgjs0b [libgjs0-libmozjs185-1.0] 1.32.0-5
ii libgl1-mesa-glx [libgl1] 8.0.5-3
ii libglib2.0-0 2.33.12+really2.32.4-5
ii libgnome-keyring0 3.4.1-1
ii libgnome-menu-3-0 3.4.2-5
ii libgstreamer0.10-0 0.10.36-1.1
ii libgtk-3-0 3.4.2-6
ii libical0 0.48-2
ii libjson-glib-1.0-0 0.14.2-1
ii libmozjs185-1.0 1.8.5-1.0.0+dfsg-4
ii libmutter0 3.4.1-5
ii libnm-glib4 0.9.4.0-10
ii libnm-util2 0.9.4.0-10
ii libnspr4 2:4.9.2-1
ii libnspr4-0d 2:4.9.2-1
ii libp11-kit0 0.12-3
ii libpango1.0-0 1.30.0-1
ii libpolkit-agent-1-0 0.105-3
ii libpolkit-gobject-1-0 0.105-3
ii libpulse-mainloop-glib0 2.0-6
ii libpulse0 2.0-6
ii libsoup2.4-1 2.38.1-2
ii libstartup-notification0 0.12-1
ii libtelepathy-glib0 0.18.2-2
ii libtelepathy-logger2 0.4.0-1
ii libx11-6 2:1.5.0-1
ii libxcomposite1 1:0.4.3-2
ii libxdamage1 1:1.1.3-2
ii libxext6 2:1.3.1-2
ii libxfixes3 1:5.0-4
ii libxi6 2:1.6.1-1
ii libxml2 2.8.0+dfsg1-7
ii python 2.7.3-4
ii telepathy-mission-control-5 1:5.12.3-1
Versions of packages gnome-shell recommends:
ii gkbd-capplet 3.4.0.2-1
ii gnome-contacts 3.4.1-1+b1
ii gnome-control-center 1:3.4.3.1-2
ii gnome-session-fallback 3.4.2.1-3
ii gnome-user-guide 3.4.2-1+build1
ii unzip 6.0-8
gnome-shell suggests no packages.
-- no debconf information
More information about the Secure-testing-team
mailing list