Date: Thu, 2 Oct 2014 12:33:54 -0400 (EDT) From: cve-assign@...re.org To: dkg@...thhorseman.net Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: gnome-shell lockscreen bypass with printscreen key -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > https://bugzilla.gnome.org/show_bug.cgi?id=737456 Clearly, something is wrong, but the CVE ID or IDs need to apply to a specific aspect of the problem. Our understanding from https://bugzilla.gnome.org/show_bug.cgi?id=737456#c10 is that "the prtsc key is not disabled when the screen is locked" is intentional behavior. Thus, that's not the root cause. It might be reasonable to argue that, as a consequence, anyone with physical access to that key is implicitly allowed to consume memory and disk space. In many environments, anyone with physical access to that key also happens to be able to turn off the computer. There could be a CVE assignment for https://bugzilla.gnome.org/show_bug.cgi?id=737456#c20 - "for that short period of time those windows are not only shown (which is a bad enough privacy issue on it's own), but also accept input (which makes the already-bad issue even worse)." However, the bug discussion doesn't suggest that there's a reasonable way to solve this within gnome-shell itself. In other words, gnome-shell doesn't have any direct or immediate ability to control the screen when it's not running. Possibly we're left with the following, which is unusual for a CVE but still valid: "PrtSc is an unauthenticated request that's available to untrusted parties. It's also a very expensive request. The combination of this PrtSc behavior and the existence of the oom-killer allows authentication bypass for command execution. Therefore, PrtSc must be rate limited, and the lack of rate limiting is a vulnerability." Unless there's a better alternative, the CVE ID will be assigned for that vulnerability characterization. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJULX3fAAoJEKllVAevmvmsKH4H/2mB7o9lrspTzY+R09IViS00 m5b+RYKpKE9qJamASkm5CXETQ2xzGHk6iYl+sk+FXQ1K5QfwDMwBPhFxAmcG/I0M s3xPlKjrE0l5u1GcZF9N1p9pWyLd1NUgjyL5gXX6O5JKApyITkilI+aAdVRqYskZ dlZsHalhdFc3v/yQzthDCiNKYpOqtWy7+uOXHLFrKaeDdLU1z6lRWmmxm3OWSrTv f/DKQ57K/DbMERPidFPuUdHn4QoJTjhw3YgKqnfKQ5JdfESrFCKobaFZiffN86ba cf/kioXH2r904m0L75N3kvaJ8iC0GDMzSOdf1PNer3qsxDnjWJmZnQ7hP4YVaGQ= =QrXH -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.