From URL: The gnome lock screen can be unlocked without needing a password. Steps to Reproduce: 1. Enable Automatic Login for your account 2. Reboot 3. Lock screen 4. Click on the log in as another user button below the password prompt. Actual results: The screen unlocks without a password being entered. Expected results: A selection of other accounts is shown.
Help welcome identifying if 3.22.3-r1 is vulnerable or not. I believe 3.24.3 is fixed already (double checking appreciated, but gnome distro-list e-mail, NEWS item and Gilles' commit says as such), but we can't stable that just yet, so need to make sure 3.22.3-r1 is safe or needs patching.
distro-list e-mail said: "Anyone shipping GDM 3.24.1 or later should consider upgrading to 3.24.3 (or 3.26.0) which fixes a security hole. namely, if the user enables autologin, then screen lock can be bypassed by trying to initiate user switching." So I hope that implies 3.24.3-r1 is safe, and we don't actually have anything to do here, only 3.24.2 cleanup.
argh, typo, to be clear I meant "I hope that implies _3.22.3-r1_ is safe"
Tried to reproduce the issue, we are ok with gdm-3.22.3-r1. Changing whiteboard to cleanup and reassigning severity. @Maintainers, Please let us know when tree is clean. Thanks, Gentoo Security Padawan ChrisADR
Tree is clean