https://nvd.nist.gov/vuln/detail/CVE-2017-7358 "In LightDM through 1.22.0, a directory traversal issue in debian/guest-account.sh allows local attackers to own arbitrary directory path locations and escalate privileges to root when the guest user logs out." https://nvd.nist.gov/vuln/detail/CVE-2017-8900 "LightDM through 1.22.0, when systemd is used in Ubuntu 16.10 and 17.x, allows physically proximate attackers to bypass intended AppArmor restrictions and visit the home directories of arbitrary users by establishing a guest session."
I suspect we don't install either guest-account.sh (from debian specific directory) nor have the AppArmor restrictions in place that CVE-2017-8900 bypasses, but will leave bug open in case maintainers have comments.
https://www.ubuntu.com/usn/usn-3285-1/: Details Tyler Hicks discovered that LightDM did not confine the user session for guest users. An attacker with physical access could use this issue to access files and other resources that they should not be able to access. In the default installation, this includes files in the home directories of other users on the system. This update fixes the issue by disabling the guest session. It may be re-enabled in a future update. Please see the bug referenced below for instructions on how to manually re-enable the guest session.
Following up, is this still valid?
Ubuntu mentions lightdm-1.22.0 and lightdm-1.19.5 while we have 1.26.0 stable. So I'd say this bug is obsolete.
