Package: gnome-control-center Version: 1:43.2-2 Severity: grave Tags: security Justification: user security hole X-Debbugs-Cc: timo.lindf...@iki.fi, timo.lindf...@iki.fi, Debian Security Team <t...@security.debian.org>
Steps to reproduce: 1) Run "gnome-control-center user-accounts" 2) Click "Unlock..." 3) Enter root password 4) Click "Add User..." 5) Enter "demo2" as Name and Username and click "Add". 6) Click "Remove User..." 7) Click "Delete" when prompted. 8) Logout 9) Select "Not listed?" and login as "demo2". Set the new password when prompted. 10) Hit the GUI key and type terminal, right click to access terminal preferences 11) Set the custom command in Unnamed/Command to /bin/bash 12) Start terminal Expected results: 9) Login fails since the user has been deleted Actual results: 9) Login succeeds even though the user was deleted from the UI. More info: This issue is particularly scary since both the settings application and the login screen do not show the user after it has been deleted. This gives the user the impression that the deletion actually succeeded. -- System Information: Debian Release: bookworm/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-2-amd64 (SMP w/4 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages gnome-control-center depends on: ii accountsservice 22.08.8-1+b1 ii apg 2.2.3.dfsg.1-5+b2 ii colord 1.4.6-2.1 ii desktop-base 12.0.2 ii desktop-file-utils 0.26-1 ii gnome-control-center-data 1:43.2-2 ii gnome-desktop3-data 43.1-1 ii gnome-settings-daemon 43.0-4 ii gsettings-desktop-schemas 43.0-1 ii libaccountsservice0 22.08.8-1+b1 ii libadwaita-1-0 1.2.1-2 ii libc6 2.36-8 ii libcairo2 1.16.0-7 ii libcolord-gtk4-1 0.3.0-3 ii libcolord2 1.4.6-2.1 ii libcups2 2.4.2-1+b2 ii libepoxy0 1.5.10-1 ii libfontconfig1 2.14.1-3 ii libgcr-base-3-1 3.41.1-1+b1 ii libgdk-pixbuf-2.0-0 2.42.10+dfsg-1+b1 ii libglib2.0-0 2.74.5-1 ii libgnome-bg-4-2 43.1-1 ii libgnome-bluetooth-ui-3.0-13 42.5-2 ii libgnome-desktop-4-2 43.1-1 ii libgnome-rr-4-2 43.1-1 ii libgnutls30 3.7.8-4 ii libgoa-1.0-0b 3.46.0-1 ii libgoa-backend-1.0-1 3.46.0-1 ii libgsound0 1.0.3-2 ii libgtk-3-0 3.24.36-2 ii libgtk-4-1 4.8.3+ds-1+b1 ii libgtop-2.0-11 2.40.0-2 ii libgudev-1.0-0 237-2 ii libibus-1.0-5 1.5.27-4 ii libkrb5-3 1.20.1-1 ii libmalcontent-0-0 0.11.0-3 ii libmm-glib0 1.20.4-1 ii libnm0 1.40.10-1 ii libnma-gtk4-0 1.10.6-1 ii libpango-1.0-0 1.50.12+ds-1 ii libpangocairo-1.0-0 1.50.12+ds-1 ii libpolkit-gobject-1-0 122-2 ii libpulse-mainloop-glib0 16.1+dfsg1-2+b1 ii libpulse0 16.1+dfsg1-2+b1 ii libpwquality1 1.4.5-1+b1 ii libsecret-1-0 0.20.5-3 ii libsmbclient 2:4.17.5+dfsg-1 ii libsnapd-glib-2-1 1.63-4 ii libudisks2-0 2.9.4-4 ii libupower-glib3 0.99.20-2 ii libwacom9 2.5.0-1 ii libx11-6 2:1.8.3-3 ii libxi6 2:1.8-1+b1 ii libxml2 2.9.14+dfsg-1.1+b3 ii webp-pixbuf-loader 0.0.5-5 Versions of packages gnome-control-center recommends: ii cracklib-runtime 2.9.6-5+b1 ii cups-pk-helper 0.2.6-1+b1 ii gkbd-capplet 3.28.1-1 ii gnome-bluetooth-sendto 42.5-2 ii gnome-online-accounts 3.46.0-1 ii gnome-remote-desktop 43.3-1 ii gnome-user-docs 43.0-1 ii gnome-user-share 43.0-1 ii iso-codes 4.12.0-1 ii libcanberra-pulse 0.30-10 ii libnss-myhostname 252.4-2 ii libspa-0.2-bluetooth 0.3.65-1 ii malcontent-gui 0.11.0-3 ii network-manager-gnome 1.30.0-2 ii polkitd 122-2 ii power-profiles-daemon 0.12-1+b1 ii realmd 0.17.1-1 ii rygel 0.42.0-2 ii rygel-tracker 0.42.0-2 ii system-config-printer-common 1.5.18-1 Versions of packages gnome-control-center suggests: ii gnome-software 43.3-1 pn gstreamer1.0-pulseaudio <none> ii pkexec 122-2 ii x11-xserver-utils 7.7+9+b1 -- no debconf information
