*** This bug is a security vulnerability *** You have been subscribed to a public security bug:
Basically I installed ubuntu 18.04.1 LTS on an old machine (on a blank SSD), and when I just when had finished the configuration installing just a few apps, I thought I had seen the admin's user password during Power Off (in the boot text screen that blinks) - as it's an old computer I could see this text blinking. I didn't even use this machine. After some tests, I found out that after performing these steps: - turning the machine on, logging into admin user - logging off the admin user - logging in a non admin user - logging off the non admin user - logging in back to the admin user By running `sudo cat /dev/tty1` I could see everything which was typed in the login screen. And that is the content that appears during the power off text screen. For more info, please see https://askubuntu.com/questions/1114802 The steps I can remember while setting up this machine were: - changing region to Portuguese (brazil) and configuring keyboard - installing Gweled, Pitivi, VLC, Spotify and SuperTuxKart through 'Ubuntu Software' - installing Google Chrome and Skype by downloading their deb packages from the official websites - uninstalled Thunderbird - updated everything As you can see in the AskUbuntu question, I tried to simulate this by repeating these steps in a virtual machine, but was not able to reproduce it. One difference is that this is a HP Pavilion old laptop with all sorts of things on it, so many drivers may be needed which will not be present in the VM. I booted with 4.15.0-29-generic and it behaved the same. However, during the session booting with the 4.15.0.29 recovery mode, I could not detect that sympton! Running: sudo lsof /dev/tty1 prints two processes, systemd-l and gdm-wayla. I installed again the same OS on a different machine and got all the updates installed - no external app installed this time. And I was able to reproduce the issue. I don't know why it doesn't happen in the VM, but it did happen on two different machines (on blank SSDs). ``` uname -a Linux spider 4.15.0-45-generic #48-Ubuntu SMP Tue Jan 29 16:28:13 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux ``` ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: gnome-screensaver (not installed) ProcVersionSignature: Ubuntu 4.15.0-45.48-generic 4.15.18 Uname: Linux 4.15.0-45-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.5 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Sat Feb 2 13:38:45 2019 InstallationDate: Installed on 2019-01-30 (2 days ago) InstallationMedia: Ubuntu 18.04.1 LTS "Bionic Beaver" - Release amd64 (20180725) SourcePackage: gnome-screensaver Symptom: security Title: Screen locking issue UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: gdm3 (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug bionic -- After switching users, I can see the passwords in /dev/tty1 https://bugs.launchpad.net/bugs/1814388 You received this bug notification because you are a member of Desktop Packages, which is subscribed to gdm3 in Ubuntu. -- Mailing list: https://launchpad.net/~desktop-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
