Bug 28072

Summary: caribou new screen lock bypass security issue (CVE-2021-3567)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, mageia, ouaurelien, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: caribou-0.4.21-3.mga7.src.rpm CVE:
Status comment:

Description David Walser 2021-01-12 21:28:52 CET 
A security issue in cinnamon-screensaver, caused by an issue in caribou that was exposed by a CVE fix in X.org server, has been reported:
https://github.com/linuxmint/cinnamon-screensaver/issues/354

The proposed fix is here:
https://gitlab.com/linuxmint/pins/mint/caribou/-/commit/00653c5dcc4be5e983b670d00d5724fc21da2e82

Mageia 7 is also affected.
David Walser 2021-01-12 21:29:12 CET

Whiteboard: (none) => MGA7TOO
Status comment: (none) => Patch available from Linux Mint

Comment 1 Nicolas Lécureuil 2021-01-13 00:18:12 CET 
fixed in cauldron and fix pushed in mga7:

src:
    caribou-0.4.21-3.1.mga7

Assignee: bugsquad => qa-bugs
Whiteboard: MGA7TOO => (none)
CC: (none) => mageia
Version: Cauldron => 7
Status comment: Patch available from Linux Mint => (none)

Comment 2 David Walser 2021-01-13 00:26:41 CET 
Package list:
caribou-0.4.21-3.1.mga7
caribou-gtk2-0.4.21-3.1.mga7
caribou-gtk3-0.4.21-3.1.mga7
libcaribou0-0.4.21-3.1.mga7
libcaribou-devel-0.4.21-3.1.mga7
libcaribou-gir1.0-0.4.21-3.1.mga7

from caribou-0.4.21-3.1.mga7.src.rpm
Comment 3 Aurelien Oudelet 2021-01-14 15:24:56 CET 
https://github.com/linuxmint/cinnamon-screensaver/issues/354

MGA7 Cinnamon
While screensaver active,
the following procedure makes libcairo crash:
Long press "e"
Choose "ē"

OK (Kid hacking...)

So updating to
caribou-0.4.21-3.1.mga7
caribou-gtk2-0.4.21-3.1.mga7
caribou-gtk3-0.4.21-3.1.mga7
libcaribou0-0.4.21-3.1.mga7
libcaribou-devel-0.4.21-3.1.mga7
libcaribou-gir1.0-0.4.21-3.1.mga7

Try it... no crash.
This is OK.

MGA7-64-OK

CC: (none) => ouaurelien

David Walser 2021-01-14 16:19:45 CET

Whiteboard: (none) => MGA7-64-OK

Comment 4 Thomas Andrews 2021-01-14 22:29:41 CET 
Validating. Advisory information in Comment 0, package list in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 David Walser 2021-01-15 20:01:32 CET 
This has now been posted to oss-security:
https://www.openwall.com/lists/oss-security/2021/01/15/1
Comment 6 Aurelien Oudelet 2021-01-17 15:40:31 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

An issue in caribou, that was exposed by a CVE fix in X.org server, permits a screensaver-lock bypass. It is possible to crash the screensaver and unlock the desktop via the virtual keyboard.

References:
- https://github.com/linuxmint/cinnamon-screensaver/issues/354
- https://www.openwall.com/lists/oss-security/2021/01/15/1
========================

Updated package in core/updates_testing:
========================
caribou-0.4.21-3.1.mga7
caribou-gtk2-0.4.21-3.1.mga7
caribou-gtk3-0.4.21-3.1.mga7
libcaribou0-0.4.21-3.1.mga7
libcaribou-devel-0.4.21-3.1.mga7
libcaribou-gir1.0-0.4.21-3.1.mga7

from SRPM:
caribou-0.4.21-3.1.mga7.src.rpm

Advisory pushed to SVN.

Keywords: (none) => advisory
Source RPM: caribou-0.4.21-8.mga8.src.rpm => caribou-0.4.21-3.mga7.src.rpm

Comment 7 Mageia Robot 2021-01-17 17:08:45 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0043.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 8 David Walser 2021-05-28 21:32:08 CEST 
Ubuntu has issued an advisory for this on May 17:
https://ubuntu.com/security/notices/USN-4958-1
Comment 9 David Walser 2021-06-10 20:43:24 CEST 
This is CVE-2021-3567:
https://lists.suse.com/pipermail/sle-security-updates/2021-June/008985.html

Summary: caribou new screen lock bypass security issue => caribou new screen lock bypass security issue (CVE-2021-3567)