Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#54075 - [deepin-session-ui] User Account Lock Bypass through QDBusConnection Crash
Attached to Project:
Community Packages
Opened by .. (aldi) - Tuesday, 16 May 2017, 00:02 GMT
Last edited by Felix Yan (felixonmars) - Wednesday, 24 May 2017, 07:00 GMT
Opened by .. (aldi) - Tuesday, 16 May 2017, 00:02 GMT
Last edited by Felix Yan (felixonmars) - Wednesday, 24 May 2017, 07:00 GMT
|
DetailsHi there guys.
My name's Aldi and I want to report a bug I discovered accidentally on my Manjaro Deepin & Arch Linux installation. The bug I discovered is that when I lock my Manjaro Deepin / Arch Linux user account (of course I have already logged in) and I try to get access back in by entering my correct password, here is what I did and it resulted in User Account Lock Bypass. The steps to reproduce the bug I found are as follows: Lock your user (after you've logged in of course). Press the ENTER button a bunch of times with an empty password field After the Step 2 Manjaro Deepin will try to show you the "Wrong Password!", you just have to do some more tries of a wrong password (take for example 123). Then after you have followed steps 2 and 3 all you have to do now is to click somewhere on the screen for a bit of time (just make a bunch of clicks here and there on the screen). I could not believe my eyes when I was just playing with my lock screen, that after I attempted a bunch of wrong password entries and randomly clicking 'fast' on the lock screen the Lock protection dissapeared and Desktop shown up. **Note that while waiting for the community to issue a fix on the bug, another Arch Linux user reported that he could reproduce the same bug on his latest up-to-date (15-05-2017) Arch Linux installation and that he was able to bypass User Account Lock mechanism. He also provided a dmesg output for me to show that indeed was the same function (QDBusConnection) crashing and thus bypassing the lock mechanism. dmesg output: [11383.806000] QDBusConnection[18458]: segfault at 185f160 ip 000000000185f160 sp 00007fa4f61ed9b8 error 15 [11412.909334] QDBusConnection[18469]: segfault at 18ded50 ip 00000000018ded50 sp 00007f77a182d9b8 error 15 PS: Please be patient when clicking on the screen, all you have to do is to click many times for a bit long (approx. 30 sec's) amount of time. - Credits worth giving to anderberin for the reproduction of the bug on the standard Arch Linux distro. - The link to my original issue on https://github.com/linuxdeepin/developer-center/issues/286 Thank you for your time. Best Regards, Aldi! |
This task depends upon
Closed by Felix Yan (felixonmars)
Wednesday, 24 May 2017, 07:00 GMT
Reason for closing: Fixed
Additional comments about closing: 4.0.6-2
Wednesday, 24 May 2017, 07:00 GMT
Reason for closing: Fixed
Additional comments about closing: 4.0.6-2