After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 783779 - (CVE-2017-12164) Lock screen password bypass by trying to log as another user
(CVE-2017-12164) Lock screen password bypass by trying to log as another user
Status: RESOLVED FIXED
Product: gdm
Classification: Core
Component: general
3.24.x
Other Linux
: Normal normal
: ---
Assigned To: GDM maintainers
GDM maintainers
CVE-2017-12164
: 789638 (view as bug list)
Depends on:
Blocks:
 
 
Reported: 2017-06-14 08:15 UTC by adriantovick
Modified: 2017-11-01 13:51 UTC
See Also:
GNOME target: 3.26
GNOME version: ---


Attachments
video repro (3.24 MB, video/mp4)
2017-06-15 13:49 UTC, adriantovick
  Details
manager: don't allow autologin from transient displays (3.52 KB, patch)
2017-09-11 21:11 UTC, Ray Strode [halfline]
committed Details | Review

Description adriantovick 2017-06-14 08:15:30 UTC
I have only one user in my machine (apart from root), and I have the account set to ask for password on screen lock. But when I click the link in the lock screen to log as another user, the lock screen goes away and I can continue my session as usual, without even needing to provide the password.

I could replicate this on a fairly standard Ubuntu GNOME 17.04 installation, with GNOME 3.24.1. It doesn't happen on previous or later GNOME versions.
Comment 1 adriantovick 2017-06-15 13:49:17 UTC
Created attachment 353823 [details]
video repro

Attached video of the issue.
Comment 2 Ray Strode [halfline] 2017-09-11 21:06:37 UTC
looks like a regression caused by the fix for bug 780520. we no longer set ran_once to TRUE after the greeter is started, so we try to autologin when user switching which succeeds and immediately unlocks the screen
Comment 3 Ray Strode [halfline] 2017-09-11 21:09:34 UTC
fix should be to check for is_initial in addition to ran_once when deciding whether or not to autologin
Comment 4 Ray Strode [halfline] 2017-09-11 21:11:43 UTC
Created attachment 359561 [details] [review]
manager: don't allow autologin from transient displays

In theory, we're only only supposed to allow autologin
the first time a session is run, but we only count a
session run, once it's finished.  This means that if a
user creates a transient session to user switch, before
they've logged out the first time at boot up, that
transient session will begin autologin as well (which
actually gets treated as an auto unlock).

This commit makes sure autologin is only ever run on
the initial display.
Comment 5 Ray Strode [halfline] 2017-09-12 14:16:05 UTC
Attachment 359561 [details] pushed as 798be42 - manager: don't allow autologin from transient displays
Comment 6 Ray Strode [halfline] 2017-11-01 13:51:49 UTC
*** Bug 789638 has been marked as a duplicate of this bug. ***