Hi all,
thanks a lot, I upgraded to MATE 22.04 and could confirm that marco is
no longer recognising its keybindings.
---
However I discovered a second issue some minutes ago:
I installed MATE 22.04 on another system with some special keys on the
keyboard and one of the keys (Fn + F9) on the
This bug was fixed in the package marco - 1.26.0-3ubuntu1
---
marco (1.26.0-3ubuntu1) jammy; urgency=medium
* debian/patches:
+ Add 1000_add-no-keybindings.patch (LP: #1948339)
-- Martin Wimpress Tue, 12 Apr 2022 10:28:18 +0100
** Changed in: marco (Ubuntu)
Status:
This bug was fixed in the package arctica-greeter - 0.99.1.5-2nmu3
---
arctica-greeter (0.99.1.5-2nmu3) jammy; urgency=medium
* debian/patches:
+ Add 2002_shutdown-dialog-font.patch. (LP: #1916770)
* debian/control:
+ Version Recommends: marco (>= 1.26.0-3~) (LP:
@bkanbach I can version marco Recommends ensuring both packages update
in lockstep. I have spoken to the Ubuntu Security team and they will
handle the CVE assignment.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
** Changed in: arctica-greeter (Ubuntu)
Status: In Progress => Fix Committed
** Changed in: marco (Ubuntu)
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
That sounds great, thank you very much. I guess it's an optimal way to
keep the marco look-and-feel and have it invoked securely at the same
time.
Could there be a scenario where arctica-greeter is upgraded on a system
but marco is not? (e.g. arctica-greeter invoking "marco --no-
keybindings"
** Changed in: arctica-greeter (Ubuntu)
Status: Triaged => In Progress
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1948339
Title:
Logon screen can be bypassed using various
** Changed in: marco (Ubuntu)
Status: Triaged => In Progress
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1948339
Title:
Logon screen can be bypassed using various shortcuts
Sorry for the late reply on this issue. I only saw it a few days ago.
I've spoken with the Arctica greeter developer and we've been working on
a fix.
The issue is this, Arctica Greeter requires a window manager and it
invokes Marco, the window manager from MATE Desktop. Marco handles
keybindings
Exactly, so at the moment only the following are affected:
- impish
- jammy
I've added a few comments to the arctica-greeter repo and issued a pull
request that basically reverts the commit that introduced the weakness.
However this still needs to be reviewed by the maintainers
--
You
hirsute (21.04) is EOL, but Thank you for your research @Bastian
** Tags removed: hirsute
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1948339
Title:
Logon screen can be bypassed
Hi all,
narrowed it down and found out that arctica-greeter is invoking "marco"
to make handling of windows opened by some of the indicators easier.
However marco listens for any keybindings and that's the reason why
keybindings are working on the logon screen.
The affected code path was
** Tags removed: groovy
** Tags added: jammy
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1948339
Title:
Logon screen can be bypassed using various shortcuts
Status in Ubuntu
Thanks :)
I haven't registered a CVE yet and I'm waiting for final confirmation
which components are causing the described issue. Happy to contribute
to the ArcticaProject issue tracker directly.
As you also mentioned I can confirm that the affected arctica-greeter
version is present in the
Upstream is now informed via
https://github.com/ArcticaProject/arctica-greeter/issues/28 . I cited this bug
there.
Bastian Kanbach (bkanbach), you are welcome to add more comments there.
** Bug watch added: github.com/ArcticaProject/arctica-greeter/issues #28
Lightdm - https://github.com/canonical/lightdm/issues/214 .
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1948339
Title:
Logon screen can be bypassed using various shortcuts
Status
Your daughter does good work :)
Thanks
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1948339
Title:
Logon
17 matches
Mail list logo