Date: Fri, 15 Jan 2021 21:14:03 +0500 From: "Alexander E. Patrakov" <patrakov@...il.com> To: Clement Lefebvre <clement.lefebvre@...uxmint.com>, oss-security@...ts.openwall.com Subject: Re: [vs] Cinnamon lock screen bypass in multiple distributions As this is already public, no need to hold it on the distros list. пт, 15 янв. 2021 г. в 21:05, Clement Lefebvre < clement.lefebvre@...uxmint.com>: > Hi Alexander, > > Many thanks for contacting us. I think it's fixed on our side, but the way > to reproduce it is slightly different. We use the virtual keyboard and long > press E, then press E with the bar on top. > > You can find the issue and resolution at > https://github.com/linuxmint/cinnamon-screensaver/issues/354. > > It's a regression (or improvement depending on the way to look at it) in > Xorg. You correctly identified this. It affects libcaribou. > > We sent them an MR but I don't think they care... their project looks > dead: https://gitlab.gnome.org/GNOME/caribou/-/merge_requests/3. > > We urged the Arch and Debian maintainers of Cinnamon to take action on > github already but no CVE was done. Like you, we don't really know if this > should be against Xorg or libcaribou. > > We patched caribou in all Mint releases that were affected (Mint 19.x, > Mint 20.x and LMDE 4). > > Mint 18.x is also affected but the versions of Cinnamon over there are > lesser than 4.2, so they don't have an on-screen keyboard in their > screensaver. > > Regards, > > Clement Lefebvre > Linux Mint > > > > On Fri, Jan 15, 2021 at 3:28 PM Alexander E. Patrakov <patrakov@...il.com> > wrote: > >> Hi, >> >> I found a trivial way to bypass the screen lock in the Cinnamon DE. >> However, I don't know how to contact Cinnamon or Linux Mint people >> properly, that's why I am posting here. Also, I am not sure whether >> this is a Cinnamon bug or Xorg bug. >> >> For the exploit to work, more than one keyboard layout needs to be >> configured in Cinnamon keyboard settings, on the "layouts" tab. In the >> demo VMs linked below, that's English and Russian. Instructions: >> >> 1. Boot the system. Or, boot a demo VM using the provided ./start.sh >> script. >> 2. Log in. In the demo VMs, the username is "user" and the password is >> "password". >> 3. Lock the screen, using the "Lock Screen" icon in the main menu. >> 4. Click the following using your mouse. On real hardware, a >> touchscreen also works, so watch out for cats doing this by accident >> ;) Important: do not use a hardware keyboard. >> >> * The virtual keyboard button at the bottom. The virtual keyboard >> should appear. >> * The country flag or two-letter code on the left of the password >> field. It should switch to RU, Russian. >> * The "q" virtual key, maybe more than once (what apparently matters >> is that the character is not in the layout indicated in the password >> field). >> >> You may need to wait a few seconds for cinnamon-screensaver to actually >> crash. >> >> Distributions affected: >> >> Linux Mint 20.1 with Cinnamon DE: >> >> https://u.pcloud.link/publink/show?code=kZBnOYXZq6WVUsKA6VQgrz9HgBGiyBC2JreX >> cinnamon-screensaver >> <https://u.pcloud.link/publink/show?code=kZBnOYXZq6WVUsKA6VQgrz9HgBGiyBC2JreXcinnamon-screensaver> >> 4.8.1+ulyssa, xserver-xorg-core 2:1.20.8-2ubuntu2.6 >> Note: if one updates the xserver-xorg-core package using apt (to >> 2:1.20.9-2ubuntu1.1~20.04.1) and reboots the VM, the bug is no longer >> reproducible, so it may be a Xorg problem, not Cinnamon DE problem, >> after all. The changelog entry for 2:1.20.8-2ubuntu6 does ring a bell, >> it's for CVE-2020-14345 "Correct bounds checking in XkbSetNames()", >> >> https://gitlab.freedesktop.org/xorg/xserver/-/commit/f7cd1276bbd4fe3a9700096dec33b52b8440788d >> . However, the _XkbCheckRequestBounds() function added by this patch >> also exists in the xorg-server version used by Arch Linux, so this >> can't be it. >> >> Debian Testing: >> >> https://u.pcloud.link/publink/show?code=kZGwUYXZC1oC2dQq0TzDxhB0OBAL87B7JAaV >> This distribution has 4.8.1-2, the only patch is for the path to PNG >> versions of country flags. xserver-xorg-core is at 2:1.20.10-2, the >> only patch is for a MIPS-specific build issue, obviously irrelevant >> here. Dist-upgrading to Debian Unstable and rebooting does not fix the >> bug. >> >> Arch Linux: >> https://u.pcloud.link/publink/show?code=kZWfUYXZ7gbkkdrvvALNp1WkDy2EkJCjBAH7 >> This distribution also has the latest released cinnamon-screensaver, >> 4.8.1-1. xorg-server version is 1.20.10-3, the only patches applied >> are for the build system, not for C code. >> >> Note: for the purpose of not destroying the evidence, the VMs above >> use "snapshot=on", so all changes will be lost on shutdown. Rebooting >> is OK. >> >> Distributions not affected: >> >> Fedora 33 (automatically switches the layout to US) >> cinnamon-screensaver 4.6.0-2.fc33 >> xorg-x11-server-common-1.20.10-1.fc33 in updates >> >> Fedora 34 pre-release (Rawhide, also automatically switches the layout to >> US) >> cinnamon-screensaver 4.8.1-1.fc34 >> xorg-x11-server-common 1.20.10-1.fc34 >> >> Debian 10 (cinnamon-screensaver 3.8.2-1 does not have a virtual keyboard) >> >> I have not tested anything else. The above data points do not let me >> conclude which package is responsible, so I cannot file a CVE at this >> point. >> >> -- >> Alexander E. Patrakov >> CV: http://u.pc.cd/wT8otalK >> > -- Alexander E. Patrakov CV: http://u.pc.cd/wT8otalK
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.