A security issue in cinnamon-screensaver, caused by an issue in caribou that was exposed by a CVE fix in X.org server, has been reported: https://github.com/linuxmint/cinnamon-screensaver/issues/354 The proposed fix is here: https://gitlab.com/linuxmint/pins/mint/caribou/-/commit/00653c5dcc4be5e983b670d00d5724fc21da2e82 Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOOStatus comment: (none) => Patch available from Linux Mint
fixed in cauldron and fix pushed in mga7: src: caribou-0.4.21-3.1.mga7
Assignee: bugsquad => qa-bugsWhiteboard: MGA7TOO => (none)CC: (none) => mageiaVersion: Cauldron => 7Status comment: Patch available from Linux Mint => (none)
Package list: caribou-0.4.21-3.1.mga7 caribou-gtk2-0.4.21-3.1.mga7 caribou-gtk3-0.4.21-3.1.mga7 libcaribou0-0.4.21-3.1.mga7 libcaribou-devel-0.4.21-3.1.mga7 libcaribou-gir1.0-0.4.21-3.1.mga7 from caribou-0.4.21-3.1.mga7.src.rpm
https://github.com/linuxmint/cinnamon-screensaver/issues/354 MGA7 Cinnamon While screensaver active, the following procedure makes libcairo crash: Long press "e" Choose "ē" OK (Kid hacking...) So updating to caribou-0.4.21-3.1.mga7 caribou-gtk2-0.4.21-3.1.mga7 caribou-gtk3-0.4.21-3.1.mga7 libcaribou0-0.4.21-3.1.mga7 libcaribou-devel-0.4.21-3.1.mga7 libcaribou-gir1.0-0.4.21-3.1.mga7 Try it... no crash. This is OK. MGA7-64-OK
CC: (none) => ouaurelien
Whiteboard: (none) => MGA7-64-OK
Validating. Advisory information in Comment 0, package list in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
This has now been posted to oss-security: https://www.openwall.com/lists/oss-security/2021/01/15/1
Suggested advisory: ======================== The updated packages fix a security vulnerability: An issue in caribou, that was exposed by a CVE fix in X.org server, permits a screensaver-lock bypass. It is possible to crash the screensaver and unlock the desktop via the virtual keyboard. References: - https://github.com/linuxmint/cinnamon-screensaver/issues/354 - https://www.openwall.com/lists/oss-security/2021/01/15/1 ======================== Updated package in core/updates_testing: ======================== caribou-0.4.21-3.1.mga7 caribou-gtk2-0.4.21-3.1.mga7 caribou-gtk3-0.4.21-3.1.mga7 libcaribou0-0.4.21-3.1.mga7 libcaribou-devel-0.4.21-3.1.mga7 libcaribou-gir1.0-0.4.21-3.1.mga7 from SRPM: caribou-0.4.21-3.1.mga7.src.rpm Advisory pushed to SVN.
Keywords: (none) => advisorySource RPM: caribou-0.4.21-8.mga8.src.rpm => caribou-0.4.21-3.mga7.src.rpm
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0043.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Ubuntu has issued an advisory for this on May 17: https://ubuntu.com/security/notices/USN-4958-1
This is CVE-2021-3567: https://lists.suse.com/pipermail/sle-security-updates/2021-June/008985.html
Summary: caribou new screen lock bypass security issue => caribou new screen lock bypass security issue (CVE-2021-3567)