This bug was fixed in the package lightdm - 1.22.0-0ubuntu4
---------------
lightdm (1.22.0-0ubuntu4) artful; urgency=medium
* SECURITY UPDATE: Guest session not confined (LP: #1663157)
- debian/50-disable-guest.conf:
- debian/lightdm.install:
- Disable guest sessions by default, this can be overridden by custom
configuration (e.g. /etc/lightdm/lightdm.conf)
- CVE-2017-8900
-- Robert Ancell <[email protected]> Mon, 19 Jun 2017
16:32:24 +1200
** Changed in: lightdm (Ubuntu Artful)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1663157
Title:
Guest session processes are not confined in 16.10 and newer releases
Status in Light Display Manager:
New
Status in apparmor package in Ubuntu:
Invalid
Status in lightdm package in Ubuntu:
Fix Released
Status in lightdm source package in Yakkety:
Fix Released
Status in lightdm source package in Zesty:
Fix Released
Status in lightdm source package in Artful:
Fix Released
Bug description:
Processes launched under a lightdm guest session are not confined by
the /usr/lib/lightdm/lightdm-guest-session AppArmor profile in Ubuntu
16.10, Ubuntu 17.04, and Ubuntu Artful (current dev release). The
processes are unconfined.
The simple test case is to log into a guest session, launch a terminal
with ctrl-alt-t, and run the following command:
$ cat /proc/self/attr/current
Expected output, as seen in Ubuntu 16.04 LTS, is:
/usr/lib/lightdm/lightdm-guest-session (enforce)
Running the command inside of an Ubuntu 16.10 and newer guest session
results in:
unconfined
To manage notifications about this bug go to:
https://bugs.launchpad.net/lightdm/+bug/1663157/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
