Your message dated Mon, 4 Mar 2013 20:55:34 +0100
with message-id <20130304195534.ga...@radis.cristau.org>
and subject line Re: Bug#702234: gnome-shell: Screen lock delayed on password
prompt
has caused the Debian Bug report #702234,
regarding gnome-shell: Screen lock delayed on password prompt
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
702234: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702234
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: gnome-shell
Version: 3.4.2-7
Severity: grave
Tags: security
Justification: user security hole
Dear Maintainer,
I tried to type in the password for an encrypted wireless network, and pressed
enter. I then closed my lid, expecting it to lock the screen and suspend. It
did suspend, but when I woke it up, instead of the locked screen, it was
unlocked, and there was a password prompt there (I had got the wifi password
wrong, so it had made another prompt). This meant that without the password,
someone could look at the stuff I had on my screen. When I clicked cancel, it
then locked my screen after about half a second. I found that this is the same
when gnome-shell password prompts are given for root privelages, for example
opening synaptic, and that there is this problem not only closing my lid, but
if I wait for a minute until the screen turned off. Each time, it does not lock
the screen until just after the password prompt is closed.
I would expect the screen to lock, and probably to be presented with a password
prompt upon unlocking, but it would also solve the security issue if it
canceled the prompt when going to sleep/switching the screen off.
I could not do anything effective, other than be aware of the situation,
although this is less effective when there are surprise prompts such as when
you get a password wrong.
-- System Information:
Debian Release: 7.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages gnome-shell depends on:
ii dconf-gsettings-backend [gsettings-backend] 0.12.1-3
ii gconf-service 3.2.5-1+build1
ii gir1.2-accountsservice-1.0 0.6.21-8
ii gir1.2-atk-1.0 2.4.0-2
ii gir1.2-caribou-1.0 0.4.4-1
ii gir1.2-clutter-1.0 1.10.8-2
ii gir1.2-cogl-1.0 1.10.2-6
ii gir1.2-coglpango-1.0 1.10.2-6
ii gir1.2-folks-0.6 0.6.9-1+b1
ii gir1.2-freedesktop 1.32.1-1
ii gir1.2-gconf-2.0 3.2.5-1+build1
ii gir1.2-gcr-3 3.4.1-3
ii gir1.2-gdesktopenums-3.0 3.4.2-3
ii gir1.2-gdkpixbuf-2.0 2.26.1-1
ii gir1.2-gee-1.0 0.6.4-2
ii gir1.2-gkbd-3.0 3.4.0.2-1
ii gir1.2-glib-2.0 1.32.1-1
ii gir1.2-gmenu-3.0 3.4.2-5
ii gir1.2-gnomebluetooth-1.0 3.4.2-1
ii gir1.2-gtk-3.0 3.4.2-6
ii gir1.2-json-1.0 0.14.2-1
ii gir1.2-mutter-3.0 3.4.1-5
ii gir1.2-networkmanager-1.0 0.9.4.0-10
ii gir1.2-pango-1.0 1.30.0-1
ii gir1.2-polkit-1.0 0.105-3
ii gir1.2-soup-2.4 2.38.1-2
ii gir1.2-telepathyglib-0.12 0.18.2-2
ii gir1.2-telepathylogger-0.2 0.4.0-1
ii gir1.2-upowerglib-1.0 0.9.17-1
ii gjs 1.32.0-5
ii gnome-bluetooth 3.4.2-1
ii gnome-icon-theme-symbolic 3.4.0-2
ii gnome-settings-daemon 3.4.2+git20121218.7c1322-2
ii gnome-shell-common 3.4.2-7
ii gnome-themes-standard 3.4.2-2.1
ii gsettings-desktop-schemas 3.4.2-3
ii libatk1.0-0 2.4.0-2
ii libc6 2.13-38
ii libcairo-gobject2 1.12.2-3
ii libcairo2 1.12.2-3
ii libcanberra0 0.28-6
ii libclutter-1.0-0 1.10.8-2
ii libcogl-pango0 1.10.2-6
ii libcogl9 1.10.2-6
ii libcroco3 0.6.6-2
ii libdbus-1-3 1.6.8-1
ii libdbus-glib-1-2 0.100.1-1
ii libebook-1.2-13 3.4.4-3
ii libecal-1.2-11 3.4.4-3
ii libedataserver-1.2-16 3.4.4-3
ii libedataserverui-3.0-1 3.4.4-3
ii libffi5 3.0.10-3
ii libfolks25 0.6.9-1+b1
ii libgck-1-0 3.4.1-3
ii libgconf-2-4 3.2.5-1+build1
ii libgcr-3-1 3.4.1-3
ii libgdk-pixbuf2.0-0 2.26.1-1
ii libgee2 0.6.4-2
ii libgirepository-1.0-1 1.32.1-1
ii libgjs0b [libgjs0-libmozjs185-1.0] 1.32.0-5
ii libgl1-mesa-glx [libgl1] 8.0.5-3
ii libglib2.0-0 2.33.12+really2.32.4-5
ii libgnome-keyring0 3.4.1-1
ii libgnome-menu-3-0 3.4.2-5
ii libgstreamer0.10-0 0.10.36-1.1
ii libgtk-3-0 3.4.2-6
ii libical0 0.48-2
ii libjson-glib-1.0-0 0.14.2-1
ii libmozjs185-1.0 1.8.5-1.0.0+dfsg-4
ii libmutter0 3.4.1-5
ii libnm-glib4 0.9.4.0-10
ii libnm-util2 0.9.4.0-10
ii libnspr4 2:4.9.2-1
ii libnspr4-0d 2:4.9.2-1
ii libp11-kit0 0.12-3
ii libpango1.0-0 1.30.0-1
ii libpolkit-agent-1-0 0.105-3
ii libpolkit-gobject-1-0 0.105-3
ii libpulse-mainloop-glib0 2.0-6
ii libpulse0 2.0-6
ii libsoup2.4-1 2.38.1-2
ii libstartup-notification0 0.12-1
ii libtelepathy-glib0 0.18.2-2
ii libtelepathy-logger2 0.4.0-1
ii libx11-6 2:1.5.0-1
ii libxcomposite1 1:0.4.3-2
ii libxdamage1 1:1.1.3-2
ii libxext6 2:1.3.1-2
ii libxfixes3 1:5.0-4
ii libxi6 2:1.6.1-1
ii libxml2 2.8.0+dfsg1-7
ii python 2.7.3-4
ii telepathy-mission-control-5 1:5.12.3-1
Versions of packages gnome-shell recommends:
ii gkbd-capplet 3.4.0.2-1
ii gnome-contacts 3.4.1-1+b1
ii gnome-control-center 1:3.4.3.1-2
ii gnome-session-fallback 3.4.2.1-3
ii gnome-user-guide 3.4.2-1+build1
ii unzip 6.0-8
gnome-shell suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
On Mon, Mar 4, 2013 at 11:33:14 +0000, Asterix wrote:
> Package: gnome-shell
> Version: 3.4.2-7
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Dear Maintainer,
>
> I tried to type in the password for an encrypted wireless network, and pressed
> enter. I then closed my lid, expecting it to lock the screen and suspend. It
> did suspend, but when I woke it up, instead of the locked screen, it was
> unlocked, and there was a password prompt there (I had got the wifi password
> wrong, so it had made another prompt). This meant that without the password,
> someone could look at the stuff I had on my screen. When I clicked cancel, it
> then locked my screen after about half a second. I found that this is the same
> when gnome-shell password prompts are given for root privelages, for example
> opening synaptic, and that there is this problem not only closing my lid, but
> if I wait for a minute until the screen turned off. Each time, it does not
> lock
> the screen until just after the password prompt is closed.
>
> I would expect the screen to lock, and probably to be presented with a
> password
> prompt upon unlocking, but it would also solve the security issue if it
> canceled the prompt when going to sleep/switching the screen off.
>
You don't get to override an X grab, so that's not likely to change.
Cheers,
Julien
signature.asc
Description: Digital signature
--- End Message ---
