Bug#980071: gnome-shell: Using suspend in the gnome-shell power off/log out menu does log out and suspend in the wrong order
A Ozbay
ago_debianbug at protonmail.com
Wed Jan 13 23:31:40 GMT 2021
Package: gnome-shell
Version: 3.38.2-1
Severity: grave
Tags: security
Justification: user security hole
X-Debbugs-Cc: ago_debianbug at protonmail.com, Debian Security Team <team at security.debian.org>
When I use the suspend option in the power off/log out menu, gnome-shell first logs me off, as if I clicked log off instead. Then, when I enter my password on this screen, my computer enters suspend mode. Upon resuming my pc from suspend, I am logged into my user account without a password prompt.
This enables a person with physical access to the machine in a suspended state to log into my account without any password required whatsoever which is a grave security issue.
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.10.4 (SMP w/24 CPU threads)
Kernel taint flags: TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages gnome-shell depends on:
ii dconf-gsettings-backend [gsettings-backend] 0.38.0-1
ii evolution-data-server 3.38.2-2
ii gir1.2-accountsservice-1.0 0.6.55-3
ii gir1.2-atspi-2.0 2.38.0-2
ii gir1.2-freedesktop 1.66.1-1+b1
ii gir1.2-gcr-3 3.38.0-1
ii gir1.2-gdesktopenums-3.0 3.38.0-2
ii gir1.2-gdm-1.0 3.38.2.1-1
ii gir1.2-geoclue-2.0 2.5.7-2
ii gir1.2-glib-2.0 1.66.1-1+b1
ii gir1.2-gnomebluetooth-1.0 3.34.3-2
ii gir1.2-gnomedesktop-3.0 3.38.2-1
ii gir1.2-gstreamer-1.0 1.18.2-1
ii gir1.2-gtk-3.0 3.24.24-1
ii gir1.2-gweather-3.0 3.36.1-1
ii gir1.2-ibus-1.0 1.5.23-2
ii gir1.2-mutter-7 3.38.2-1
ii gir1.2-nm-1.0 1.28.0-2+b1
ii gir1.2-nma-1.0 1.8.30-1
ii gir1.2-pango-1.0 1.46.2-3
ii gir1.2-polkit-1.0 0.105-29
ii gir1.2-rsvg-2.0 2.50.2+dfsg-1
ii gir1.2-soup-2.4 2.72.0-2
ii gir1.2-upowerglib-1.0 0.99.11-2
ii gjs 1.66.1-1
ii gnome-backgrounds 3.38.0-1
ii gnome-settings-daemon 3.38.1-2
ii gnome-shell-common 3.38.2-1
ii gsettings-desktop-schemas 3.38.0-2
ii gstreamer1.0-pipewire 0.3.15-1
ii libatk-bridge2.0-0 2.38.0-1
ii libatk1.0-0 2.36.0-2
ii libc6 2.31-9
ii libcairo2 1.16.0-5
ii libecal-2.0-1 3.38.2-2
ii libedataserver-1.2-25 3.38.2-2
ii libgcr-base-3-1 3.38.0-1
ii libgdk-pixbuf-2.0-0 2.42.2+dfsg-1
ii libgirepository-1.0-1 1.66.1-1+b1
ii libgjs0g 1.66.1-1
ii libgles2 1.3.2-1
ii libglib2.0-0 2.66.4-1
ii libglib2.0-bin 2.66.4-1
ii libgnome-autoar-0-0 0.2.4-2
ii libgnome-desktop-3-19 3.38.2-1
ii libgraphene-1.0-0 1.10.2-1
ii libgtk-3-0 3.24.24-1
ii libical3 3.0.8-2
ii libjson-glib-1.0-0 1.6.0-2
ii libmutter-7-0 3.38.2-1
ii libnm0 1.28.0-2+b1
ii libpango-1.0-0 1.46.2-3
ii libpangocairo-1.0-0 1.46.2-3
ii libpolkit-agent-1-0 0.105-29
ii libpolkit-gobject-1-0 0.105-29
ii libpulse-mainloop-glib0 14.0-2
ii libpulse0 14.0-2
ii libsecret-1-0 0.20.4-1
ii libsystemd0 247.2-4
ii libwayland-server0 1.18.0-2~exp1.1
ii libx11-6 2:1.6.12-1
ii libxfixes3 1:5.0.3-2
ii python3 3.9.1-1
Versions of packages gnome-shell recommends:
ii bolt 0.9-1
ii chrome-gnome-shell 10.1-5
ii gdm3 3.38.2.1-1
ii gkbd-capplet 3.26.1-1
ii gnome-control-center 1:3.38.2-2
ii gnome-menus 3.36.0-1
ii gnome-user-docs 3.38.2-1
ii ibus 1.5.23-2
ii iio-sensor-proxy 3.0-1
ii switcheroo-control 2.1-1
ii unzip 6.0-25
Versions of packages gnome-shell suggests:
pn gir1.2-telepathyglib-0.12 <none>
pn gir1.2-telepathylogger-0.2 <none>
Versions of packages gnome-session depends on:
ii gnome-session-bin 3.38.0-3
ii gnome-session-common 3.38.0-3
ii gnome-settings-daemon 3.38.1-2
Versions of packages gnome-session suggests:
ii desktop-base 10.0.3
ii gnome-keyring 3.36.0-1
Versions of packages gnome-settings-daemon depends on:
ii gnome-settings-daemon-common 3.38.1-2
ii gsettings-desktop-schemas 3.38.0-2
ii libasound2 1.2.4-1.1
ii libc6 2.31-9
ii libcairo2 1.16.0-5
ii libcanberra-gtk3-0 0.30-7
ii libcanberra0 0.30-7
ii libcolord2 1.4.4-2
ii libcups2 2.3.3op1-5
ii libfontconfig1 2.13.1-4.2
ii libgcr-base-3-1 3.38.0-1
ii libgdk-pixbuf-2.0-0 2.42.2+dfsg-1
ii libgdk-pixbuf2.0-0 2.40.2-2
ii libgeoclue-2-0 2.5.7-2
ii libgeocode-glib0 3.26.2-2
ii libglib2.0-0 2.66.4-1
ii libgnome-desktop-3-19 3.38.2-1
ii libgtk-3-0 3.24.24-1
ii libgudev-1.0-0 234-1
ii libgweather-3-16 3.36.1-1
ii liblcms2-2 2.9-4+b1
ii libmm-glib0 1.14.8-0.1
ii libnm0 1.28.0-2+b1
ii libnotify4 0.7.9-2
ii libnspr4 2:4.29-1
ii libnss3 2:3.60-1
ii libpam-systemd [logind] 247.2-4
ii libpango-1.0-0 1.46.2-3
ii libpangocairo-1.0-0 1.46.2-3
ii libpolkit-gobject-1-0 0.105-29
ii libpulse-mainloop-glib0 14.0-2
ii libpulse0 14.0-2
ii libupower-glib3 0.99.11-2
ii libwacom2 1.7-1
ii libwayland-client0 1.18.0-2~exp1.1
ii libx11-6 2:1.6.12-1
ii libxext6 2:1.3.3-1.1
ii libxi6 2:1.7.10-1
Versions of packages gnome-settings-daemon recommends:
ii iio-sensor-proxy 3.0-1
ii pulseaudio 14.0-2
ii x11-xserver-utils 7.7+8
Versions of packages gnome-settings-daemon suggests:
pn usbguard <none>
Versions of packages libgjs0g depends on:
ii libc6 2.31-9
ii libcairo-gobject2 1.16.0-5
ii libcairo2 1.16.0-5
ii libffi7 3.3-5
ii libgcc-s1 10.2.1-3
ii libgirepository-1.0-1 1.66.1-1+b1
ii libglib2.0-0 2.66.4-1
ii libmozjs-78-0 78.4.0-2
ii libreadline8 8.1-1
ii libstdc++6 10.2.1-3
ii libx11-6 2:1.6.12-1
Versions of packages gnome-shell is related to:
ii libegl-mesa0 [libegl-vendor] 20.3.2-1
ii libgl1-mesa-dri 20.3.2-1
ii libglx-mesa0 [libglx-vendor] 20.3.2-1
-- no debconf information
More information about the pkg-gnome-maintainers
mailing list