Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu,  2 Oct 2014 12:33:54 -0400 (EDT)
From: cve-assign@...re.org
To: dkg@...thhorseman.net
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: gnome-shell lockscreen bypass with printscreen key

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> https://bugzilla.gnome.org/show_bug.cgi?id=737456

Clearly, something is wrong, but the CVE ID or IDs need to apply to a
specific aspect of the problem.

Our understanding from
https://bugzilla.gnome.org/show_bug.cgi?id=737456#c10 is that "the
prtsc key is not disabled when the screen is locked" is intentional
behavior. Thus, that's not the root cause. It might be reasonable to
argue that, as a consequence, anyone with physical access to that key
is implicitly allowed to consume memory and disk space. In many
environments, anyone with physical access to that key also happens to
be able to turn off the computer.

There could be a CVE assignment for
https://bugzilla.gnome.org/show_bug.cgi?id=737456#c20 - "for that
short period of time those windows are not only shown (which is a bad
enough privacy issue on it's own), but also accept input (which makes
the already-bad issue even worse)." However, the bug discussion
doesn't suggest that there's a reasonable way to solve this within
gnome-shell itself. In other words, gnome-shell doesn't have any
direct or immediate ability to control the screen when it's not
running.

Possibly we're left with the following, which is unusual for a CVE but
still valid: "PrtSc is an unauthenticated request that's available to
untrusted parties. It's also a very expensive request. The combination
of this PrtSc behavior and the existence of the oom-killer allows
authentication bypass for command execution. Therefore, PrtSc must be
rate limited, and the lack of rate limiting is a vulnerability."
Unless there's a better alternative, the CVE ID will be assigned for
that vulnerability characterization.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJULX3fAAoJEKllVAevmvmsKH4H/2mB7o9lrspTzY+R09IViS00
m5b+RYKpKE9qJamASkm5CXETQ2xzGHk6iYl+sk+FXQ1K5QfwDMwBPhFxAmcG/I0M
s3xPlKjrE0l5u1GcZF9N1p9pWyLd1NUgjyL5gXX6O5JKApyITkilI+aAdVRqYskZ
dlZsHalhdFc3v/yQzthDCiNKYpOqtWy7+uOXHLFrKaeDdLU1z6lRWmmxm3OWSrTv
f/DKQ57K/DbMERPidFPuUdHn4QoJTjhw3YgKqnfKQ5JdfESrFCKobaFZiffN86ba
cf/kioXH2r904m0L75N3kvaJ8iC0GDMzSOdf1PNer3qsxDnjWJmZnQ7hP4YVaGQ=
=QrXH
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.