This bug was fixed in the package lightdm - 1.22.0-0ubuntu4

lightdm (1.22.0-0ubuntu4) artful; urgency=medium

  * SECURITY UPDATE: Guest session not confined (LP: #1663157)
    - debian/50-disable-guest.conf:
    - debian/lightdm.install:
      - Disable guest sessions by default, this can be overridden by custom
        configuration (e.g. /etc/lightdm/lightdm.conf)
    - CVE-2017-8900

 -- Robert Ancell <>  Mon, 19 Jun 2017
16:32:24 +1200

** Changed in: lightdm (Ubuntu Artful)
       Status: In Progress => Fix Released

You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.

  Guest session processes are not confined in 16.10 and newer releases

Status in Light Display Manager:
Status in apparmor package in Ubuntu:
Status in lightdm package in Ubuntu:
  Fix Released
Status in lightdm source package in Yakkety:
  Fix Released
Status in lightdm source package in Zesty:
  Fix Released
Status in lightdm source package in Artful:
  Fix Released

Bug description:
  Processes launched under a lightdm guest session are not confined by
  the /usr/lib/lightdm/lightdm-guest-session AppArmor profile in Ubuntu
  16.10, Ubuntu 17.04, and Ubuntu Artful (current dev release). The
  processes are unconfined.

  The simple test case is to log into a guest session, launch a terminal
  with ctrl-alt-t, and run the following command:

   $ cat /proc/self/attr/current

  Expected output, as seen in Ubuntu 16.04 LTS, is:

   /usr/lib/lightdm/lightdm-guest-session (enforce)

  Running the command inside of an Ubuntu 16.10 and newer guest session
  results in:


To manage notifications about this bug go to:

Mailing list:
Post to     :
Unsubscribe :
More help   :

Reply via email to