[Security issue] Lock-screen not retained when exit screensaver with TV hdmi

On my 18.04, if I lock my session, when exit the screensaver, in particular conditions, my session is no longer locked and it is accessible without typing password. In terms of security, it’s ugly. The lock-screen works fine, because if I lock my session, the password is required before the screensaver appears. As soon as the screensaver activates, then when exit screensaver, no more lock-screen. My display is a TV plugged in HDMI that I switch off after enabled lock-screen. Sometimes, the lock-screen is retained when exit screensaver. Could you help me to keep the lock-screen when exit the screensaver? I don’t want to enable the lock-screen systematically when exit the screensaver, only if I enabled the lock-screen manually. Thank you in advance
Edit:
In my opinion, it’s a critical security bug, because I can easily reproduce the problem. It seems to appears only with HDMI TV with the below conditions.

https://www.dropbox.com/s/jrh1pnln38uizi4/Ub-Mate-lock-screen-issue.mp4?dl=0

Steps to reproduce the issue :

  • Enable the locks-creen
  • Check it’s locked
  • Press Escape to blank the screen
  • Switch off the TV HDMI
  • Wait 10 s
  • Press Ctrl to wake-up the lock-screen
  • Switch on the TV
  • The lock-screen is done!
  • After, no way to enable the lock-screen immediatly

Seems to be crossposted on AskUbuntu.

@Philippe

I can't reproduce your issue on clean Ubuntu MATE 18.04 LTS installation.
Please provide more details - package names, method of MATE installation, screencast and so on.

I followed your advice, I recorded a video. I edited the first post to add the video.
We can reproduce the issue easily, but only with a TV HDMI. In my opinion, it’s a security issue.
With Live USB of Mate 18.04.1 same issue (with TV hdmi), watch this video (check at 1:40’):
https://www.dropbox.com/s/t05jvb5gu8snh49/Ub-Mate-live-lockscreen-issue.mp4?dl=0

I experienced a similar issue 6+ months ago at my previous workplace. If I had unplugged and replugged one (or both) monitors for the laptop, the lock screen could be bypassed, but not always. Since I had 2-3 screens, I can’t remember if it only bypassed on one of them.

At the time, I noticed one of the two monitors threw windows everywhere when it was turned off, so I presume some hardware (including your TV) “unplug” themselves when turned “off” and runs into this problem.

It appears to be fixed upstream:

And the downstream bug report: https://bugs.launchpad.net/ubuntu/bionic/+source/mate-screensaver/+bug/1768352

It says Bionic (18.04) is Incomplete but I have been informed by the project leader it’ll land in 18.04 updates soon:

The fixed package is in the security proposed pocket under review.

2 Likes

Bypass the lockscreen is exactly that issue. Thank you for having investigated more. I tried with Gnome3 and this issue is not appears, it seems only on Mate.
But, the issue is not only with HDMI, it appears also with DisplayPort. With DisplayPort, we can reproduce the issue:

mate-screensaver-1.20.2 with the fix is released

How to track the progress of this release for 18.04 LTS Mate?

I’m not sure as I’m not involved with the SRU packaging process. It doesn’t look like it’s reached proposed yet.

You can still install the new mate-screensaver 1.20.2 in the meantime by using the packages built for Cosmic at https://launchpad.net/ubuntu/+source/mate-screensaver/1.20.2-1 under Builds.

The downloads are:

Then install them via the terminal:

sudo dpkg -i mate-screensaver-common_*.deb mate-screensaver_*.deb

Then restart your session or computer. I just tried it in a virtual environment, and nothing broke, but I haven’t got the problematic hardware to confirm the lock screen behaviour.

It works fine, no dependencies broken and the issue is fixed, thanks

As I did it this manual upgrade, could you confirm to me, when I upgrade 18.04 to 20.04 these packages will be upgrades and will be in "normal state" (in opposite to manually upgraded)

There's nothing to worry about :slight_smile: When you upgrade to 20.04, the newer mate-screensaver package will overwrite the older version you have installed (in this case, 1.20.2)

Currently 20.04 will feature mate-screensaver 1.22.2 (focal is the codename for 20.04) which will definitely have this fixed.

1 Like