Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 12 Feb 2014 10:48:28 +0100 (CET)
From: Clemens Fries <clemens@...oworld.de>
To: oss-security@...ts.openwall.com
Subject: cinnamon-screensaver lock bypass (tested on Fedora 20)

Hello,

It is possible to circumvent the screen lock on a cinnamon session under Fedora
20 using the 'Menu' key on a keyboard. I'm posting this here, because I assume
that this is not limited to the version shipped with Fedora.

Steps to reproduce:

* Start cinnamon session
* Lock the screen (Ctrl+Alt+L)
* Press the 'Menu' key on the keyboard
* A menu appears for a brief moment
* Press 'Escape'
* Focus is now beneath the screensaver
* Press Alt+F2
* Start 'gnome-terminal'
* Type 'killall cinnamon-screensaver'

Seen on a fully patched Fedora 20 (February 12th, 2014). I had a brief look at
bugzilla.redhat.com, but it seems this has not been reported. I also tested
this on a second machine with the same outcome.

Some version information:

$ rpm -qi cinnamon
Name        : cinnamon
Version     : 2.0.14
Release     : 4.fc20
Architecture: x86_64
[...]

$ rpm -qi cinnamon-screensaver
Name        : cinnamon-screensaver
Version     : 2.0.3
Release     : 1.fc20
Architecture: x86_64
[...]


Kind regards,
Clemens

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.