This bug was fixed in the package systemd - 240-6ubuntu9

---------------
systemd (240-6ubuntu9) eoan; urgency=medium

  * Fix typpo in storage test.
    File: debian/tests/storage
    
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=f28aa5fe4ab175b99b6ea702559c59ca473b4ca8

  * Fix bashism
    File: debian/extra/dhclient-enter-resolved-hook
    
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=0725c1169ddde4f41cacba7af3e546704e2206be

systemd (240-6ubuntu8) eoan; urgency=medium

  * Only restart resolved on changes in dhclient enter hook.
    This prevents spurious restarts of resolved on rebounds when
    the addresses did not change. (LP: #1805183)
    Author: Julian Andres Klode
    File: debian/extra/dhclient-enter-resolved-hook
    
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=258893bae8cbb12670e4807636fe8f7e9fb5407a

  * Wait for cryptsetup unit to start, before stopping.
    Patch from cascardo. Plus small refactor for readability. (LP: #1814373)
    File: debian/tests/storage
    
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=b65aa350be7e61c65927fbc0921a750fcfaa51cd

  * Wait for systemctl is-system-running state.
    File: debian/tests/boot-smoke
    
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=776998f1f55c445b6e385cab69a4219c42d00838

systemd (240-6ubuntu7) eoan; urgency=medium

  * Revert "Add check to switch VTs only between K_XLATE or K_UNICODE"
    This reverts commit 60407728a1a453104e3975ecfdf25a254dd7cc44.
    Files:
    - 
debian/patches/Add-check-to-switch-VTs-only-between-K_XLATE-or-K_UNICODE.patch
    - 
debian/patches/Move-verify_vc_kbmode-to-terminal-util.c-as-vt_verify_kbm.patch
    
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=18029ab5ff436bfb3b401f24cd1e3a4cf2a1579c

  * Cherrypick missing systemd-stable patches to unbreak wireguard peer 
endpoints.
    Signed-off-by: Dimitri John Ledkov <x...@ubuntu.com> (LP: #1825378)
    Author: Dan Streetman
    Files:
    - debian/patches/network-wireguard-fixes-sending-wireguard-peer-setti.patch
    - debian/patches/network-wireguard-use-sd_netlink_message_append_sock.patch
    - debian/patches/sd-netlink-introduce-sd_netlink_message_append_socka.patch
    - debian/patches/test-network-add-more-checks-in-NetworkdNetDevTests..patch
    
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=4046f515e40c4dc80d18d2303466737f1f451f11

  * Remove expected failure from passing test.
    Signed-off-by: Dimitri John Ledkov <x...@ubuntu.com> (LP: #1829450)
    Author: Dan Streetman
    File: debian/tests/systemd-fsckd
    
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=c43b12037d08555dc1d26593307726d7c7992df0

  * Fix false negative checking for running jobs after boot.
    Signed-off-by: Dimitri John Ledkov <x...@ubuntu.com> (LP: #1825997)
    Author: Dan Streetman
    File: debian/tests/boot-smoke
    
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=aeb01631efbaf3fe851dee15d496e0b66b5c347f

  * Cherrypick ask-password: prevent buffer overrow when reading from keyring.
    Signed-off-by: Dimitri John Ledkov <x...@ubuntu.com> (LP: #1814373)
    Author: Dan Streetman
    File: 
debian/patches/ask-password-prevent-buffer-overrow-when-reading-fro.patch
    
https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=6d6e9cbd4fc6e018031a4762e88f2c3aa19e24e8

 -- Dimitri John Ledkov <x...@ubuntu.com>  Thu, 30 May 2019 21:45:50
+0100

** Changed in: systemd (Ubuntu)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1803993

Title:
  Password appears on the VT1 screen

Status in gdm3 package in Ubuntu:
  Invalid
Status in plymouth package in Ubuntu:
  Invalid
Status in systemd package in Ubuntu:
  Fix Released

Bug description:
  [Impact]

   * The keyboard on the graphical login screen started on VT1 may stop
  working and or keypresses including passwords are leaked to the
  terminal console running 'behind' the graphical login screen or
  environment.

  [Test Case]

   * Reboot after installing the fixed systemd package.
   * Install sysdig
   * Start sysdig on a remote connection or on a terminal console:
    $ sudo sysdig evt.type=ioctl | grep  request=4B4
   * While sysdig is running log in and out 3 times in GDM and press a few keys 
in the graphical session to see if keyboard still works
   * Log in and out on an other terminal console, too, running a few commands 
while being logged in to ensure that keyboard is working.
   * Observe that on terminal consoles the monitored keyboard setter ioctl is 
called with argument=3, but where the graphical screen is active only 
argument=4 is used, unlike with the buggy version observed in 
https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1803993/comments/14

  [Regression Potential]

   * The fix checks the current keyboard mode of the VT and allows only
  safe mode switches. The potential regression could be not allowing a
  valid mode switch keeping a keyboard in a non-operational mode.
  Testing covers that by typing the keyboard.

  
  (continued from bug 1767918)

  This was found when an administrative error made /home directory
  inaccessible.  Any users that tried to login after that, were not able
  to (which is expected) but their password appears on the VT1 screen.
  Under normal circumstances, VT1 is not visible. But once the system
  was sent into this compromised mode, one can press ctrl+alt+F1 and
  then ctrl+alt+F2 and get a momentary glance at VT1. One can keep
  toggling between these key combinations in order to make out the
  password(s) on VT1.

  As a further test, I wanted to see if a non-super user could cause
  this condition, and it is in fact possible. As a regular user, I made
  their own home directory not writable and then removed ~/.config and
  logged out. Then logged in as that user again, and although that user
  can't login the system does go into that mode where passwords appear
  on VT1 and are viewable with the key combinations mentioned herein.
  Further, any other users that login will see no problem, but when they
  logon their passwords also appear on VT1 and are viewable.

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: gdm3 3.28.3-0ubuntu18.04.3
  Uname: Linux 4.19.2-041902-generic x86_64
  ApportVersion: 2.20.9-0ubuntu7.5
  Architecture: amd64
  CurrentDesktop: ubuntu:GNOME
  Date: Mon Nov 19 08:32:59 2018
  InstallationDate: Installed on 2018-08-25 (85 days ago)
  InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426)
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: gdm3
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1803993/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to