Bug 28072 - caribou new screen lock bypass security issue
Summary: caribou new screen lock bypass security issue
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-01-12 21:28 CET by David Walser
Modified: 2021-01-17 17:08 CET (History)
4 users (show)

See Also:
Source RPM: caribou-0.4.21-3.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2021-01-12 21:28:52 CET
A security issue in cinnamon-screensaver, caused by an issue in caribou that was exposed by a CVE fix in X.org server, has been reported:
https://github.com/linuxmint/cinnamon-screensaver/issues/354

The proposed fix is here:
https://gitlab.com/linuxmint/pins/mint/caribou/-/commit/00653c5dcc4be5e983b670d00d5724fc21da2e82

Mageia 7 is also affected.
David Walser 2021-01-12 21:29:12 CET

Whiteboard: (none) => MGA7TOO
Status comment: (none) => Patch available from Linux Mint

Comment 1 Nicolas Lécureuil 2021-01-13 00:18:12 CET
fixed in cauldron and fix pushed in mga7:

src:
    caribou-0.4.21-3.1.mga7

Assignee: bugsquad => qa-bugs
Whiteboard: MGA7TOO => (none)
CC: (none) => mageia
Version: Cauldron => 7
Status comment: Patch available from Linux Mint => (none)

Comment 2 David Walser 2021-01-13 00:26:41 CET
Package list:
caribou-0.4.21-3.1.mga7
caribou-gtk2-0.4.21-3.1.mga7
caribou-gtk3-0.4.21-3.1.mga7
libcaribou0-0.4.21-3.1.mga7
libcaribou-devel-0.4.21-3.1.mga7
libcaribou-gir1.0-0.4.21-3.1.mga7

from caribou-0.4.21-3.1.mga7.src.rpm
Comment 3 Aurelien Oudelet 2021-01-14 15:24:56 CET
https://github.com/linuxmint/cinnamon-screensaver/issues/354

MGA7 Cinnamon
While screensaver active,
the following procedure makes libcairo crash:
Long press "e"
Choose "ē"

OK (Kid hacking...)

So updating to
caribou-0.4.21-3.1.mga7
caribou-gtk2-0.4.21-3.1.mga7
caribou-gtk3-0.4.21-3.1.mga7
libcaribou0-0.4.21-3.1.mga7
libcaribou-devel-0.4.21-3.1.mga7
libcaribou-gir1.0-0.4.21-3.1.mga7

Try it... no crash.
This is OK.

MGA7-64-OK

CC: (none) => ouaurelien

David Walser 2021-01-14 16:19:45 CET

Whiteboard: (none) => MGA7-64-OK

Comment 4 Thomas Andrews 2021-01-14 22:29:41 CET
Validating. Advisory information in Comment 0, package list in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 David Walser 2021-01-15 20:01:32 CET
This has now been posted to oss-security:
https://www.openwall.com/lists/oss-security/2021/01/15/1
Comment 6 Aurelien Oudelet 2021-01-17 15:40:31 CET
Suggested advisory:
========================

The updated packages fix a security vulnerability:

An issue in caribou, that was exposed by a CVE fix in X.org server, permits a screensaver-lock bypass. It is possible to crash the screensaver and unlock the desktop via the virtual keyboard.

References:
- https://github.com/linuxmint/cinnamon-screensaver/issues/354
- https://www.openwall.com/lists/oss-security/2021/01/15/1
========================

Updated package in core/updates_testing:
========================
caribou-0.4.21-3.1.mga7
caribou-gtk2-0.4.21-3.1.mga7
caribou-gtk3-0.4.21-3.1.mga7
libcaribou0-0.4.21-3.1.mga7
libcaribou-devel-0.4.21-3.1.mga7
libcaribou-gir1.0-0.4.21-3.1.mga7

from SRPM:
caribou-0.4.21-3.1.mga7.src.rpm

Advisory pushed to SVN.

Source RPM: caribou-0.4.21-8.mga8.src.rpm => caribou-0.4.21-3.mga7.src.rpm
Keywords: (none) => advisory

Comment 7 Mageia Robot 2021-01-17 17:08:45 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0043.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.