CVE-2013-7273 gdm3: no prompt anymore after login cancel using disable_user_list

Debian Bug report logs - #683338
CVE-2013-7273 gdm3: no prompt anymore after login cancel using disable_user_list

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jonathan Michalon <johndescs@gmail.com>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: gdm3: no prompt anymore after login cancel using disable_user_list

Date: Mon, 30 Jul 2012 23:54:28 +0200

Package: gdm3
Version: 3.4.1-2
Severity: important

When disable_user_list is activated, entering an username and then cancelling
login (when prompted for the password) results in an empty unusable greeter.
Only solution would be to reboot using the button or restart from console. 

It seems not to affect people without disable_user_list.

In :1-greeter.log I found this:
gdm-simple-greeter[32019]: CRITICAL: get_column_number: assertion `i < gtk_tree_view_get_n_columns (treeview)' failed

A screenshot showing the emptiness may be found here:
http://misc.michalon.eu/GDM-Screenshot.png


-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages gdm3 depends on:
ii  accountsservice                             0.6.21-6
ii  adduser                                     3.113+nmu3
ii  dconf-gsettings-backend                     0.12.1-2
ii  dconf-tools                                 0.12.1-2
ii  debconf [debconf-2.0]                       1.5.44
ii  dpkg                                        1.16.4.3
ii  fvwm [x-window-manager]                     1:2.5.30.ds-1.1
ii  gir1.2-freedesktop                          1.32.1-1
ii  gir1.2-glib-2.0                             1.32.1-1
ii  gnome-session [x-session-manager]           3.4.2.1-1
ii  gnome-session-bin                           3.4.2.1-1
ii  gnome-session-fallback [x-session-manager]  3.4.2.1-1
ii  gnome-settings-daemon                       3.4.2-3
ii  gnome-terminal [x-terminal-emulator]        3.4.1.1-1
ii  gsettings-desktop-schemas                   3.4.2-1
ii  libaccountsservice0                         0.6.21-6
ii  libatk1.0-0                                 2.4.0-2
ii  libattr1                                    1:2.4.46-8
ii  libaudit0                                   1:1.7.18-1.1
ii  libc6                                       2.13-33
ii  libcairo-gobject2                           1.12.2-2
ii  libcairo2                                   1.12.2-2
ii  libcanberra-gtk3-0                          0.28-4
ii  libcanberra0                                0.28-4
ii  libdbus-1-3                                 1.6.0-1
ii  libdbus-glib-1-2                            0.100-1
ii  libfontconfig1                              2.9.0-6
ii  libgdk-pixbuf2.0-0                          2.26.1-1
ii  libglib2.0-0                                2.32.3-1
ii  libglib2.0-bin                              2.32.3-1
ii  libgtk-3-0                                  3.4.2-2
ii  libpam-modules                              1.1.3-7.1
ii  libpam-runtime                              1.1.3-7.1
ii  libpam0g                                    1.1.3-7.1
ii  libpango1.0-0                               1.30.0-1
ii  librsvg2-common                             2.36.1-1
ii  libselinux1                                 2.1.9-5
ii  libupower-glib1                             0.9.17-1
ii  libwrap0                                    7.6.q-23
ii  libx11-6                                    2:1.5.0-1
ii  libxau6                                     1:1.0.7-1
ii  libxdmcp6                                   1:1.1.1-1
ii  libxklavier16                               5.2.1-1
ii  libxrandr2                                  2:1.3.2-2
ii  lsb-base                                    4.1+Debian7
ii  metacity [x-window-manager]                 1:2.34.3-2
ii  policykit-1-gnome                           0.105-2
ii  twm [x-window-manager]                      1:1.0.6-1
ii  upower                                      0.9.17-1
ii  x11-common                                  1:7.7+1
ii  x11-xserver-utils                           7.7~3
ii  xterm [x-terminal-emulator]                 278-1

Versions of packages gdm3 recommends:
ii  desktop-base             7.0.0
ii  gnome-icon-theme         3.4.0-2
ii  libatk-adaptor [at-spi]  2.5.3-1
ii  x11-xkb-utils            7.7~1
ii  xserver-xephyr           2:1.12.1.902-1
ii  xserver-xorg             1:7.7+1
ii  zenity                   3.4.0-2

Versions of packages gdm3 suggests:
ii  gnome-mag             1:0.16.3-1
ii  gnome-orca            3.4.2-2
ii  gnome-shell           3.4.1-8
ii  gok                   2.30.0-1
ii  libpam-gnome-keyring  3.4.1-4

-- debconf information:
* shared/default-x-display-manager: gdm3
  gdm3/daemon_name: /usr/sbin/gdm3

Message #10 received at 683338@bugs.debian.org (full text, mbox, reply):

From: colliar <colliar4ever@aol.com>

To: Debian Bug Tracking System <683338@bugs.debian.org>

Subject: Re: gdm3: no prompt anymore after login cancel using disable_user_list

Date: Thu, 06 Sep 2012 14:29:39 +0200

Package: gdm3
Version: 3.4.1-2
Followup-For: Bug #683338

Hi

I have exactly the same problem, except I do not find the mentioned line in my
log files.

Colliar



-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (990, 'testing'), (99, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages gdm3 depends on:
ii  accountsservice                             0.6.21-6
ii  adduser                                     3.113+nmu3
ii  dconf-gsettings-backend                     0.12.1-2
ii  dconf-tools                                 0.12.1-2
ii  debconf [debconf-2.0]                       1.5.46
ii  dpkg                                        1.16.8
ii  gir1.2-freedesktop                          1.32.1-1
ii  gir1.2-glib-2.0                             1.32.1-1
ii  gnome-session [x-session-manager]           3.4.2.1-1
ii  gnome-session-bin                           3.4.2.1-1
ii  gnome-session-fallback [x-session-manager]  3.4.2.1-1
ii  gnome-settings-daemon                       3.4.2-4+b1
ii  gnome-terminal [x-terminal-emulator]        3.4.1.1-1+build1
ii  gsettings-desktop-schemas                   3.4.2-1
ii  libaccountsservice0                         0.6.21-6
ii  libatk1.0-0                                 2.4.0-2
ii  libattr1                                    1:2.4.46-8
ii  libaudit0                                   1:1.7.18-1.1
ii  libc6                                       2.13-35
ii  libcairo-gobject2                           1.12.2-2
ii  libcairo2                                   1.12.2-2
ii  libcanberra-gtk3-0                          0.28-4
ii  libcanberra0                                0.28-4
ii  libdbus-1-3                                 1.6.0-1
ii  libdbus-glib-1-2                            0.100-1
ii  libfontconfig1                              2.9.0-7
ii  libgdk-pixbuf2.0-0                          2.26.1-1
ii  libglib2.0-0                                2.32.3-1
ii  libglib2.0-bin                              2.32.3-1
ii  libgtk-3-0                                  3.4.2-3
ii  libpam-modules                              1.1.3-7.1
ii  libpam-runtime                              1.1.3-7.1
ii  libpam0g                                    1.1.3-7.1
ii  libpango1.0-0                               1.30.0-1
ii  librsvg2-common                             2.36.1-1
ii  libselinux1                                 2.1.9-5
ii  libupower-glib1                             0.9.17-1
ii  libwrap0                                    7.6.q-24
ii  libx11-6                                    2:1.5.0-1
ii  libxau6                                     1:1.0.7-1
ii  libxdmcp6                                   1:1.1.1-1
ii  libxklavier16                               5.2.1-1
ii  libxrandr2                                  2:1.3.2-2
ii  lsb-base                                    4.1+Debian7
ii  metacity [x-window-manager]                 1:2.34.3-3
ii  policykit-1-gnome                           0.105-2
ii  upower                                      0.9.17-1
ii  x11-common                                  1:7.7+1
ii  x11-xserver-utils                           7.7~3
ii  xterm [x-terminal-emulator]                 278-1

Versions of packages gdm3 recommends:
pn  at-spi            <none>
ii  desktop-base      7.0.3
ii  gnome-icon-theme  3.4.0-2
ii  x11-xkb-utils     7.7~1
ii  xserver-xephyr    2:1.12.3-1
ii  xserver-xorg      1:7.7+1
ii  zenity            3.4.0-2

Versions of packages gdm3 suggests:
pn  gnome-mag             <none>
pn  gnome-orca            <none>
ii  gnome-shell           3.4.2-1
pn  gok                   <none>
ii  libpam-gnome-keyring  3.4.1-5

-- Configuration Files:
/etc/gdm3/daemon.conf changed:
[daemon]
[security]
[xdmcp]
[greeter]
IncludeAll = false
[chooser]
[debug]

/etc/gdm3/greeter.gsettings changed:
[org.gnome.desktop.session]
session-name='gdm-fallback'
[org.gnome.login-screen]
logo='/usr/share/icons/gnome/48x48/places/debian-swirl.png'
fallback-logo='/usr/share/icons/gnome/48x48/places/debian-swirl.png'
disable-user-list=true
[org.gnome.power-manager]
icon-policy='never'
[org.gnome.desktop.sound]
event-sounds=false
[org.gnome.metacity]
compositing-manager=false


-- debconf information:
* shared/default-x-display-manager: gdm3
  gdm3/daemon_name: /usr/sbin/gdm3

Message #15 received at 683338@bugs.debian.org (full text, mbox, reply):

From: paul.szabo@sydney.edu.au

To: 683338@bugs.debian.org

Subject: Re: gdm3: no prompt anymore after login cancel using disable_user_list

Date: Mon, 8 Oct 2012 09:22:02 +1100

I see the same problem at version 3.4.1-3. I do not see any "funny" log
lines, just two copies of

Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW message with a timestamp of 0 for 0xc00007 (Login Wind)
Window manager warning: meta_window_activate called by a pager with a 0 timestamp; the pager needs to be fixed.

added to /var/log/gdm3/:0-greeter.log .

I can press Atl-Ctrl-Backspace to cause the X server to die, then X and
the greeter restart correctly.

Cheers, Paul

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

Message #20 received at 683338@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Jonathan Michalon <johndescs@gmail.com>, 683338@bugs.debian.org

Cc: colliar <colliar4ever@aol.com>, paul.szabo@sydney.edu.au

Subject: Re: Bug#683338: gdm3: no prompt anymore after login cancel using disable_user_list

Date: Wed, 29 May 2013 14:48:45 +0200

Hi GNOME Maintainers

On Mon, Jul 30, 2012 at 11:54:28PM +0200, Jonathan Michalon wrote:
> Package: gdm3
> Version: 3.4.1-2
> Severity: important
> 
> When disable_user_list is activated, entering an username and then cancelling
> login (when prompted for the password) results in an empty unusable greeter.
> Only solution would be to reboot using the button or restart from console. 
> 
> It seems not to affect people without disable_user_list.
> 
> In :1-greeter.log I found this:
> gdm-simple-greeter[32019]: CRITICAL: get_column_number: assertion `i < gtk_tree_view_get_n_columns (treeview)' failed
> 
> A screenshot showing the emptiness may be found here:
> http://misc.michalon.eu/GDM-Screenshot.png

We are seeing the same here at our environment, where showing the
user list is not really practicable.

But the problem does not seem only present when disabling the user
listing. Even with disable_user_list=false, after cancelling a login,
the greeter gets confused and it's not possible anymore to scroll the
user list shown.

Regards,
Salvatore

Message #25 received at 683338@bugs.debian.org (full text, mbox, reply):

From: shirish शिरीष <shirishag75@gmail.com>

To: 683338@bugs.debian.org

Subject: I have had the same issue with gdm greeter quite a few times.

Date: Wed, 29 May 2013 18:55:07 +0530

Hi all,
I have been having the same issue as Salvatore Bonaccorso even though
mine is gdm:3.6.1-2 version and not gdm3.4.1-8 .

By same issue I mean

"But the problem does not seem only present when disabling the user
listing. Even with disable_user_list=false, after cancelling a login,
the greeter gets confused and it's not possible anymore to scroll the
user list shown." - Salvatore Bonaccorso

I have to be very careful when logging in otherwise the only option is
to reboot the system.

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable'), (10, 'unstable'), (1,
'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.8-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_IN.utf8, LC_CTYPE=en_IN.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages gdm3 depends on:
ii  accountsservice                        0.6.30-2
ii  adduser                                3.113+nmu3
ii  dconf-gsettings-backend                0.16.0-1
ii  dconf-tools                            0.16.0-1
ii  debconf [debconf-2.0]                  1.5.50
ii  dpkg                                   1.16.10
ii  gir1.2-glib-2.0                        1.36.0-2+b1
ii  gnome-session-bin                      3.8.2.1-1
ii  gnome-settings-daemon                  3.8.2-2
ii  gnome-terminal [x-terminal-emulator]   3.8.0.1-1
ii  gsettings-desktop-schemas              3.8.0-1
ii  guake [x-terminal-emulator]            0.4.4-1
ii  kde-window-manager [x-window-manager]  4:4.10.2-2
ii  konsole [x-terminal-emulator]          4:4.10.2-2
ii  libaccountsservice0                    0.6.30-2
ii  libatk1.0-0                            2.8.0-2
ii  libaudit0                              1:1.7.18-1.1
ii  libc6                                  2.17-3
ii  libcairo-gobject2                      1.12.14-4
ii  libcairo2                              1.12.14-4
ii  libcanberra-gtk3-0                     0.28-6
ii  libcanberra0                           0.30-1
ii  libfontconfig1                         2.9.0-7.1
ii  libgdk-pixbuf2.0-0                     2.28.1-1
ii  libglib2.0-0                           2.36.1-2build1
ii  libglib2.0-bin                         2.36.1-2build1
ii  libgtk-3-0                             3.8.2-1
ii  libpam-modules                         1.1.3-9
ii  libpam-runtime                         1.1.3-9
ii  libpam0g                               1.1.3-9
ii  libpango1.0-0                          1.32.5-5
ii  librsvg2-common                        2.36.4-2
ii  libselinux1                            2.1.9-5
ii  libupower-glib1                        0.9.17-1
ii  libwrap0                               7.6.q-24
ii  libx11-6                               2:1.5.0-1+deb7u1
ii  libxau6                                1:1.0.7-1
ii  libxdmcp6                              1:1.1.1-1
ii  libxrandr2                             2:1.4.0-1
ii  lsb-base                               4.1+Debian11
ii  metacity [x-window-manager]            1:2.34.3-4
ii  mutter [x-window-manager]              3.8.2-1
ii  policykit-1-gnome                      0.105-2
ii  razorqt-session [x-session-manager]    0.5.2-2
ii  twm [x-window-manager]                 1:1.0.6-1
ii  upower                                 0.9.17-1
ii  x11-common                             1:7.7+3
ii  x11-xserver-utils                      7.7~3
ii  xfce4-session [x-session-manager]      4.10.1-1
ii  xfce4-terminal [x-terminal-emulator]   0.6.2-1
ii  xfwm4 [x-window-manager]               4.10.1-1
ii  xterm [x-terminal-emulator]            278-4

Versions of packages gdm3 recommends:
ii  at-spi2-core               2.8.0-2
ii  desktop-base               7.0.3
ii  gnome-icon-theme           3.8.2-1
ii  gnome-icon-theme-symbolic  3.8.2.2-1
ii  x11-xkb-utils              7.7~1
ii  xserver-xephyr             2:1.12.4-6
ii  xserver-xorg               1:7.7+3
ii  zenity                     3.8.0-1

Versions of packages gdm3 suggests:
pn  gnome-orca            <none>
pn  gnome-shell           <none>
pn  gok                   <none>
ii  libpam-gnome-keyring  3.4.1-5

-- Configuration Files:
/etc/gdm3/daemon.conf changed:
[daemon]
AutomaticLoginEnable=false
[security]
[xdmcp]
[greeter]
[chooser]
[debug]
  Enable = true


-- debconf-show failed
-- 
          Regards,
          Shirish Agarwal  शिरीष अग्रवाल
  My quotes in this email licensed under CC 3.0
http://creativecommons.org/licenses/by-nc/3.0/
http://flossexperiences.wordpress.com
065C 6D79 A68C E7EA 52B3  8D70 950D 53FB 729A 8B17

Message #30 received at 683338@bugs.debian.org (full text, mbox, reply):

From: Emilio Pozuelo Monfort <pochu@debian.org>

To: shirish शिरीष <shirishag75@gmail.com>, 683338@bugs.debian.org

Subject: Re: Bug#683338: I have had the same issue with gdm greeter quite a few times.

Date: Wed, 29 May 2013 16:05:16 +0200

On 29/05/13 15:25, shirish शिरीष wrote:
> I have to be very careful when logging in otherwise the only option is
> to reboot the system.

You can go to a tty and restart gdm if it hangs or starts to act weirdly.

Emilio

Message #35 received at 683338@bugs.debian.org (full text, mbox, reply):

From: paul.szabo@sydney.edu.au

To: 683338@bugs.debian.org

Cc: pochu@debian.org, shirishag75@gmail.com

Subject: Bug#683338: use Atl-Ctrl-Backspace

Date: Thu, 30 May 2013 08:52:28 +1000

>> I have to be very careful when logging in otherwise the only option is
>> to reboot the system.
> You can go to a tty and restart gdm if it hangs or starts to act weirdly.

As per  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683338#15 :

I can press Atl-Ctrl-Backspace to cause the X server to die, then X and
the greeter restart correctly.

Cheers, Paul

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

Message #40 received at 683338@bugs.debian.org (full text, mbox, reply):

From: Sébastien Villemot <sebastien@debian.org>

To: shirish शिरीष <shirishag75@gmail.com>, 683338@bugs.debian.org

Cc: Salvatore Bonaccorso <carnil@debian.org>, paul.szabo@sydney.edu.au, colliar <colliar4ever@aol.com>, Jonathan Michalon <johndescs@gmail.com>

Subject: Re: Bug#683338: gdm3: no prompt anymore after login cancel using disable_user_list

Date: Sat, 15 Jun 2013 16:03:28 +0200

[Message part 1 (text/plain, inline)]

Control: tags -1 + confirmed patch

Le mercredi 29 mai 2013 à 18:55 +0530, shirish शिरीष a écrit :

> I have been having the same issue as Salvatore Bonaccorso even though
> mine is gdm:3.6.1-2 version and not gdm3.4.1-8 .

I confirm the bug in both wheezy and sid (with disable_user_list=true).

Here is an analysis of the bug:

- when the user clicks "Cancel", a D-Bus signal is emitted, which leads
to the function gdm_greeter_login_window_reset() being called

- this latter function calls reset_dialog_after_messages(), and then
restarts all extensions

- the problem is that there are pending messages, which will be
processed before calling reset_dialog(); therefore the reset_dialog()
function is actually called *after* the extensions have been restarted

- since the reset_dialog() calls reset_extension() on all extensions,
those are left in a disabled state, and the authentication does not
start

I attach a patch that solves the problem in a minimalistic way, with no
risk of breaking anything else. Maybe there is a better way of solving
the problem by refactoring the logic, but I could not figure it.

Joss: can you please review the patch? If you agree with it, I would
like to fix the bug in wheezy (which means first fixing it in sid).

> "But the problem does not seem only present when disabling the user
> listing. Even with disable_user_list=false, after cancelling a login,
> the greeter gets confused and it's not possible anymore to scroll the
> user list shown." - Salvatore Bonaccorso

When disable_user_list=false, there is indeed also a problem, but this
is a different issue. It only affects sid (not wheezy), and I guess it
is related to GTK+ 3.8.

-- 
 .''`.    Sébastien Villemot
: :' :    Debian Developer
`. `'     http://www.dynare.org/sebastien
  `-      GPG Key: 4096R/381A7594

[bug683338.diff (text/x-patch, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #47 received at 683338@bugs.debian.org (full text, mbox, reply):

From: Gregorio Corral <goyo@adm.it.uc3m.es>

To: 683338@bugs.debian.org

Subject: Re: Bug#683338: gdm3: no prompt anymore after login cancel using disable_user_list

Date: Mon, 15 Jul 2013 16:25:44 +0200

[Message part 1 (text/plain, inline)]

Hi all:

This patch "fix" the problem with the cancel button. Thanks.

But something similar happen when the login process
fail (when the user type an incorrect  password or something like that).

Any idea to fix this ?

Greetings
Goyo


  ****************************************************
  GREGORIO CORRAL TORRES
  Labs Technician
  Department of Telematic Engineering
  Universidad Carlos III de Madrid
  E-mail: gregorio.corral@uc3m.es  Telephone: (+34) 91-624-9959
  Visit at: www.it.uc3m.es
  *****************************************************

[Message part 2 (text/html, inline)]

Message #52 received at 683338@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: 683338@bugs.debian.org, Gregorio Corral <goyo@adm.it.uc3m.es>, Sébastien Villemot <sebastien@debian.org>, 683338-submitter@bugs.debian.org

Subject: i'm also seeing gdm3 fail to allow a login on wheezy

Date: Mon, 15 Jul 2013 14:05:07 -0400

[Message part 1 (text/plain, inline)]

re http://bugs.debian.org/683338 --

I also have a situation where the user list is too long to use normally,
so i need to set disable_user_list=true.  this followup assumes that
this setting is made in /etc/gdm/greeter.gsettings, all in the context
of a debian wheezy system.

While the patch supplied by Sébastien Villemot [0] does resolve the
situation when a user clicks "cancel" during a login, it also appears to
break the login dialog box when someone enters the wrong password (as
reported by Gregorio Corral [1]).  With the patch, if you fail to enter
the correct password, the dialog box remains with no UI elements.

Sébastien, can you confirm that behavior?  have you tried failing a
login with your patch applied?

Is this problem reported upstream anywhere?  This appears to make the
login manager basically unusable for anything but single-user machines.
Encouraging people to "zap" the X server to get it to restart, or
encouraging logging in from a text mode console to kill gdm somehow are
not really acceptable options.

Has this been reported upstream anywhere?

	--dkg

[0] http://bugs.debian.org/683338#40
[1] http://bugs.debian.org/683338#47

[signature.asc (application/pgp-signature, attachment)]

Message #62 received at 683338@bugs.debian.org (full text, mbox, reply):

From: Gregorio Corral <goyo@adm.it.uc3m.es>

To: 683338@bugs.debian.org

Subject: Re: gdm3: no prompt anymore after login cancel using disable_user_list

Date: Tue, 16 Jul 2013 17:44:51 +0200

[Message part 1 (text/plain, inline)]

 Hi all:

  I know that is not a solution, at least not an elegant one.

I have rewrote the gdm3-3.4.1/gui/simple-greeter/gdm-greeter-login-window.c
 file to disable the Esc Key and not show the Cancel button.

 ...
 565
 566         /* goyo: show_widget (login_window, "cancel-button", show); */
 567         show_widget (login_window, "cancel-button", FALSE);
 568 }
 ...
1959         if (event->keyval == GDK_KEY_Escape) {
1960                 if (login_window->priv->dialog_mode ==
MODE_AUTHENTICATION
1961                     || login_window->priv->dialog_mode ==
MODE_TIMED_LOGIN) {
1962                         /* goyo: do_cancel (GDM_GREETER_LOGIN_WINDOW
(widget)); */
1963                 }
1964         }

 I have not Calcel-Button  but in this way i not "lost" the login window.

 Greetings
 Goyo.


  ****************************************************
  GREGORIO CORRAL TORRES
  Labs Technician
  Department of Telematic Engineering
  Universidad Carlos III de Madrid
  E-mail: gregorio.corral@uc3m.es  Telephone: (+34) 91-624-9959
  Visit at: www.it.uc3m.es
  *****************************************************

[Message part 2 (text/html, inline)]

Message #67 received at 683338@bugs.debian.org (full text, mbox, reply):

From: Sébastien Villemot <sebastien@debian.org>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Cc: 683338@bugs.debian.org, Gregorio Corral <goyo@adm.it.uc3m.es>, 683338-submitter@bugs.debian.org

Subject: Re: i'm also seeing gdm3 fail to allow a login on wheezy

Date: Tue, 16 Jul 2013 16:45:46 -0700

[Message part 1 (text/plain, inline)]

Control: tags -1 - patch

Le lundi 15 juillet 2013 à 14:05 -0400, Daniel Kahn Gillmor a écrit :

> While the patch supplied by Sébastien Villemot [0] does resolve the
> situation when a user clicks "cancel" during a login, it also appears to
> break the login dialog box when someone enters the wrong password (as
> reported by Gregorio Corral [1]).  With the patch, if you fail to enter
> the correct password, the dialog box remains with no UI elements.
> 
> Sébastien, can you confirm that behavior?  have you tried failing a
> login with your patch applied?

Thanks for testing my patch. I am currently too far from a test machine
to confirm the problem that you describe, but given that 2 people are
experiencing it, my patch must be broken. We'll have to find a better
solution.

> Has this been reported upstream anywhere?

Yes, it has been reported upstream as indicated by the "forwarded
upstream" status of the present Debian bug report (it is 
#704284 in bugzilla.gnome.org). However I am not sure that upstream is
going to invest time in fixing this, since they removed the fallback
greeter in recent GDM versions.

-- 
 .''`.    Sébastien Villemot
: :' :    Debian Developer
`. `'     http://www.dynare.org/sebastien
  `-      GPG Key: 4096R/381A7594

[signature.asc (application/pgp-signature, inline)]

Message #77 received at 683338@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: Sébastien Villemot <sebastien@debian.org>

Cc: 683338@bugs.debian.org, Gregorio Corral <goyo@adm.it.uc3m.es>, 683338-submitter@bugs.debian.org

Subject: Re: i'm also seeing gdm3 fail to allow a login on wheezy

Date: Wed, 17 Jul 2013 10:27:20 -0400

[Message part 1 (text/plain, inline)]

On 07/16/2013 07:45 PM, Sébastien Villemot wrote:

> Yes, it has been reported upstream as indicated by the "forwarded
> upstream" status of the present Debian bug report (it is 
> #704284 in bugzilla.gnome.org).

Right, that was me forwarding it upstream :)

> However I am not sure that upstream is
> going to invest time in fixing this, since they removed the fallback
> greeter in recent GDM versions.

if you're talking about upstream's commit
8dbec8431d558b9d33adc987de2f7a58815589d4 by Ray Strode ("gui: drop
fallback greeter"), which references an upstream bug [0], that itself
was reverted in upstream commit 1732d1c22e88d6f05f5b5e234990ce68b0e59cc0 .

Is this just a "fallback greeter" issue?  how does the shell-based
greeter deal with disable-user-list=true ?

	--dkg

[0] https://bugzilla.gnome.org/show_bug.cgi?id=688665

[signature.asc (application/pgp-signature, attachment)]

Message #85 received at 683338@bugs.debian.org (full text, mbox, reply):

From: Sébastien Villemot <sebastien@debian.org>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Cc: 683338@bugs.debian.org, Gregorio Corral <goyo@adm.it.uc3m.es>, 683338-submitter@bugs.debian.org

Subject: Re: i'm also seeing gdm3 fail to allow a login on wheezy

Date: Wed, 17 Jul 2013 15:25:49 -0700

[Message part 1 (text/plain, inline)]

Le mercredi 17 juillet 2013 à 10:27 -0400, Daniel Kahn Gillmor a écrit :
> On 07/16/2013 07:45 PM, Sébastien Villemot wrote:
> 
> > Yes, it has been reported upstream as indicated by the "forwarded
> > upstream" status of the present Debian bug report (it is 
> > #704284 in bugzilla.gnome.org).
> 
> Right, that was me forwarding it upstream :)

Oh, thanks.

> > However I am not sure that upstream is
> > going to invest time in fixing this, since they removed the fallback
> > greeter in recent GDM versions.
> 
> if you're talking about upstream's commit
> 8dbec8431d558b9d33adc987de2f7a58815589d4 by Ray Strode ("gui: drop
> fallback greeter"), which references an upstream bug [0], that itself
> was reverted in upstream commit 1732d1c22e88d6f05f5b5e234990ce68b0e59cc0 .

Ok, great. However it is unclear to me if upstream will keep this
greeter in the long run.

> Is this just a "fallback greeter" issue?  how does the shell-based
> greeter deal with disable-user-list=true ?

The shell-based greeter also has its own problems, different in both
cause and effets. Indeed disable-user-list=true does not work in
Wheezy's version, it is simply ignored (but it works in experimental). I
have tried to backport the relevant commits from 3.8 to 3.4, but it
turned out to be non trivial, so I gave up. This is tracked in Debian
BTS as #685105.

-- 
 .''`.    Sébastien Villemot
: :' :    Debian Developer
`. `'     http://www.dynare.org/sebastien
  `-      GPG Key: 4096R/381A7594

[signature.asc (application/pgp-signature, inline)]

Message #93 received at 683338@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: oss-security@lists.openwall.com, 683338@bugs.debian.org

Subject: Re: [oss-security] CVE request: lightdm-gtk-greeter - local DOS due to NULL pointer dereference

Date: Tue, 07 Jan 2014 14:50:24 -0500

[Message part 1 (text/plain, inline)]

[replying to http://www.openwall.com/lists/oss-security/2014/01/07/5]

On 01/07/2014 05:47 AM, Guido Berhoerster wrote:
> an openSUSE user discovered that it is trivial to crash
> lightdm-gtk-greeter by entering an empty username due to a NULL
> pointer dereference. When a greeter crashes the lightdm daemon
> exits.
> This constitutes a local denial of service which can be triggered
> by any unprivileged attacker requiring the intervention of an
> administrator to restart lightdm. It affects all versions of
> lightdm-gtk-greeter.

Hm, if this warrants a CVE for lightdm, then gdm3 needs one also:

 https://bugzilla.gnome.org/show_bug.cgi?id=704284
 http://bugs.debian.org/683338

Basically, when gdm3 is configured to not show a list of users (but
instead shows a blank box for the login prompt), if the user clicks
"cancel" or hits the escape key, then the greeter gets put into a mode
without any way to log in (no prompts available).

I've tried to debug it but it appears to be due to some sort of
timing-dependent case.  When i step through the code with gdb, i haven't
been able to reproduce the issue.

It is definitely a bad situation for machines in public locations with
this configuration.

	--dkg

[signature.asc (application/pgp-signature, attachment)]

Message #98 received at 683338@bugs.debian.org (full text, mbox, reply):

From: cve-assign@mitre.org

To: dkg@fifthhorseman.net

Cc: cve-assign@mitre.org, oss-security@lists.openwall.com, 683338@bugs.debian.org

Subject: Re: CVE request: lightdm-gtk-greeter - local DOS due to NULL pointer dereference

Date: Tue, 7 Jan 2014 17:33:20 -0500 (EST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> http://www.openwall.com/lists/oss-security/2014/01/07/10

> gdm3 needs one also

> Basically, when gdm3 is configured to not show a list of users (but
> instead shows a blank box for the login prompt), if the user clicks
> "cancel" or hits the escape key, then the greeter gets put into a mode
> without any way to log in (no prompts available).

Use CVE-2013-7273.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJSzIACAAoJEKllVAevmvmshH0IAI7wY+ot8z57Mo8hEIHoWfK7
+7BqyjzAV10B9hZ/9B5cWhHkt7wWfbi3n/e9TSHGrjjQCkhF8jMwHqEP3ZZVQWMI
jKmr1itzzBwJ5NCNFTfGyIM2aw4OYDiEBhybQSyOitldRztoR2doY7Kj+X/62QVy
iTrx0oUmCkyqsxode7CNpH44KEZJ+SkwLjQxtUVSyB4vTRY3+VqxsG+jvhaTU3kC
teKWvSwr3Un9mLOKVNyGXIPH1+b6l8sko04i+J6Vu9bUHG7HMjc+Zhqmgfn8UID8
BwPe/otGan2pfi9e8b40pu9u5N1d7+qDUSoJypCLjG0rwQEVM64KYHxCfJsexCg=
=pNJS
-----END PGP SIGNATURE-----

Message #111 received at 683338-submitter@bugs.debian.org (full text, mbox, reply):

From: Laurent Bigonville <bigon@debian.org>

To: control@bugs.debian.org

Cc: 683338-submitter@bugs.debian.org

Subject: closing 683338

Date: Wed, 07 May 2014 14:58:40 +0200

close 683338 3.8.3-1
thanks

Hi,

In 3.8.3-1 the fallback greeter code has been removed, but then re-added but
kept disabled in debian. The code has been removed again during the next cycle
(3.9-3.10).

So this bug should be fixed

Cheers,

Laurent Bigonville

Message #122 received at 683338@bugs.debian.org (full text, mbox, reply):

From: Baptiste PELLEGRIN <pellegrin.baptiste@gmail.com>

To: 683338@bugs.debian.org

Subject: CVE-2013-7273 fix on next Wheezy point release.

Date: Wed, 11 Jun 2014 15:03:53 +0200

Hello,

Since this bug is tagged as "path" and "security", Is there a chance
that the problem will be corrected on the next Wheezy point release ?

Since this bug is forwarded, do I need tho send my patch to the upstream
gdm maintainers ?

Cheers, Baptiste

Message #127 received at 683338-close@bugs.debian.org (full text, mbox, reply):

From: Josselin Mouette <joss@debian.org>

To: 683338-close@bugs.debian.org

Subject: Bug#683338: fixed in gnome-shell 3.14.2-1

Date: Mon, 01 Dec 2014 17:49:09 +0000

Source: gnome-shell
Source-Version: 3.14.2-1

We believe that the bug you reported is fixed in the latest version of
gnome-shell, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 683338@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Josselin Mouette <joss@debian.org> (supplier of updated gnome-shell package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 30 Nov 2014 13:52:46 +0100
Source: gnome-shell
Binary: gnome-shell gnome-shell-common gnome-shell-dbg
Architecture: source all amd64
Version: 3.14.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Josselin Mouette <joss@debian.org>
Description:
 gnome-shell - graphical shell for the GNOME desktop
 gnome-shell-common - common files for the GNOME graphical shell
 gnome-shell-dbg - Debugging symbols for GNOME Shell
Closes: 683338
Changes:
 gnome-shell (3.14.2-1) unstable; urgency=medium
 .
   * gnome-shell.gsettings-override: remove shotwell which is no longer
     part of the default installation.
   * New upstream bugfix release.
     + Summarize notifications instead of queuing up.
   * Bump (build-)dependencies on mutter.
   * 01_network_list.patch: patch from upstream git. Fix an UI bug when
     removing network connections.
   * 02_auth_prompt.patch: patch from upstream git. Fix the prompt with
     disable_user_list after canceling an attempt. Closes: #683338.
Checksums-Sha1:
 c943a1fec81cdaad69e25bf9b816617bade12c7a 3463 gnome-shell_3.14.2-1.dsc
 fe2b709cdec3fb56a11f0143d37285520bcb1be8 1590640 gnome-shell_3.14.2.orig.tar.xz
 dda27f02addf11685252bb35afc015de4ae271bd 21904 gnome-shell_3.14.2-1.debian.tar.xz
 9723465fc0270546a406ee9f58cf8fc4bd5d17de 639258 gnome-shell-common_3.14.2-1_all.deb
 00e20f56fede0a792547f573b3fc98de2a171b9a 637698 gnome-shell_3.14.2-1_amd64.deb
 fd97606b22191f463218d629db9df8d7eec8fb61 768746 gnome-shell-dbg_3.14.2-1_amd64.deb
Checksums-Sha256:
 d806e10555fc62232713c689d22f4d67bc2c981241b0ecae0631307a00727762 3463 gnome-shell_3.14.2-1.dsc
 4166656cac98da9b2fbd5c315ca1c4f34e06f1f5423ae058831ceb51ea5deda1 1590640 gnome-shell_3.14.2.orig.tar.xz
 a79388735c193259ddad9180b5c8bd2836dd556fb1d8c6bb6b4048eddb46a4f4 21904 gnome-shell_3.14.2-1.debian.tar.xz
 27b34b74f48dd52d4e41ea0daf80c1fc2ac60d5a5774a00a5621135d47ac4496 639258 gnome-shell-common_3.14.2-1_all.deb
 2ff10d3b89a7202f981064858f6afa34fc95ea65068c649a577bd50cda9a620d 637698 gnome-shell_3.14.2-1_amd64.deb
 1b6fa455382ba421e5ca52e5a793abd37d15aee516fabfe0fd135cacc66d3dcb 768746 gnome-shell-dbg_3.14.2-1_amd64.deb
Files:
 55c4d1f855e3bd3797de1db5ce8f2e29 3463 gnome optional gnome-shell_3.14.2-1.dsc
 0144f7a5e4a7bcb2562dfa7e722ff6f2 1590640 gnome optional gnome-shell_3.14.2.orig.tar.xz
 9cb7d94824e9271c0c2b8b1ebbdf0f4f 21904 gnome optional gnome-shell_3.14.2-1.debian.tar.xz
 5e3022d8a5a89809d21486c6b7531702 639258 gnome optional gnome-shell-common_3.14.2-1_all.deb
 ca68697bf3bd4bb3891d6bff714c6259 637698 gnome optional gnome-shell_3.14.2-1_amd64.deb
 e5d36c66d5b1501dd26c7177083a748d 768746 debug extra gnome-shell-dbg_3.14.2-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBVHyoieePdRdw6BVUAQKhOxAAlYWvDVSi79kqQbh44gP0Ew+4yL2r8Y0y
a+sDt6BTWz77VcwOolbnzU3neK4MajfLyOXvpQNLVMeqe4tWE1t20FWZYsPMMaai
+lQHXsB939vvpR3INsuuIJkAzRjp5BNgBdx+l9nFYFbXDLsOYIGqKPJWFAaCNHnB
s96mu5bJrc7QnaTm7S4MoND8YF9OzN0daeg4h9d6DZKYAyNvT39OgJelMlSp3mBU
FBmONoQxLTQ1YJ4IoWbKzwmR35uK9aaaHleaz14ijg1oJuD+ZkrLfeufGfpUHak1
3GLPgWmBfMvYVFs2usQjxza+KTDuCRRq5iPMFBRgCPxlytuuQUFPMATYBD/jvYzN
SAg2N329wl3Xvg52/QZA0O1vTgzwyUk0+OKTm+OiBIXQzq4tt+G9Y+Ge00rH6w2F
gXAMDUZ4tBFlvk4/lsVaOUoAZYPSsAoyHuepkZme9sTexjHNxtx2QWqg3RF0nCd+
g8ezY5zUSTP0KVTdMCAV1Zr2l2PNMf862MbHOPrPypAiuyY3N9RKQScqj01D0tKA
XQyZzySU2krqfKHUSClGW6VNDQ/Tno/168JQzSkvW88frfQxoJQwXCKKU2LmUWU/
lTQ9t91hOGkjXcETL8FOo05rRxJFVesSlUcbXDnGAzB6DwjojHlr/5KrL+lNo/G2
tj54LE6Wjuc=
=RhyH
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.