Community Packages

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#54075 - [deepin-session-ui] User Account Lock Bypass through QDBusConnection Crash

Attached to Project: Community Packages
Opened by .. (aldi) - Tuesday, 16 May 2017, 00:02 GMT
Last edited by Felix Yan (felixonmars) - Wednesday, 24 May 2017, 07:00 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Felix Yan (felixonmars)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Hi there guys.
My name's Aldi and I want to report a bug I discovered accidentally on my Manjaro Deepin & Arch Linux installation.

The bug I discovered is that when I lock my Manjaro Deepin / Arch Linux user account (of course I have already logged in) and I try to get access back in by entering my correct password, here is what I did and it resulted in User Account Lock Bypass.

The steps to reproduce the bug I found are as follows:

Lock your user (after you've logged in of course).
Press the ENTER button a bunch of times with an empty password field
After the Step 2 Manjaro Deepin will try to show you the "Wrong Password!", you just have to do some more tries of a wrong password (take for example 123).
Then after you have followed steps 2 and 3 all you have to do now is to click somewhere on the screen for a bit of time (just make a bunch of clicks here and there on the screen).
I could not believe my eyes when I was just playing with my lock screen, that after I attempted a bunch of wrong password entries and randomly clicking 'fast' on the lock screen the Lock protection dissapeared and Desktop shown up.

**Note that while waiting for the community to issue a fix on the bug, another Arch Linux user reported that he could reproduce the same bug on his latest up-to-date (15-05-2017) Arch Linux installation and that he was able to bypass User Account Lock mechanism.
He also provided a dmesg output for me to show that indeed was the same function (QDBusConnection) crashing and thus bypassing the lock mechanism.

dmesg output:
[11383.806000] QDBusConnection[18458]: segfault at 185f160 ip 000000000185f160 sp 00007fa4f61ed9b8 error 15
[11412.909334] QDBusConnection[18469]: segfault at 18ded50 ip 00000000018ded50 sp 00007f77a182d9b8 error 15

PS: Please be patient when clicking on the screen, all you have to do is to click many times for a bit long (approx. 30 sec's) amount of time.

- Credits worth giving to anderberin for the reproduction of the bug on the standard Arch Linux distro.
- The link to my original issue on https://github.com/linuxdeepin/developer-center/issues/286

Thank you for your time.

Best Regards,
Aldi!
This task depends upon

Closed by  Felix Yan (felixonmars)
Wednesday, 24 May 2017, 07:00 GMT
Reason for closing:  Fixed
Additional comments about closing:  4.0.6-2

Loading...