Bug 1181067 - VUL-0: cinnamon-screensaver: Screensaver lock by-pass via the virtual keyboard
VUL-0: cinnamon-screensaver: Screensaver lock by-pass via the virtual keyboard
Status: NEW
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.1
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Marguerite Su
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-01-18 15:43 UTC by Robert Frohl
Modified: 2021-01-19 06:35 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2021-01-18 15:43:54 UTC
via oss-security:
I found a trivial way to bypass the screen lock in the Cinnamon DE.
However, I don't know how to contact Cinnamon or Linux Mint people
properly, that's why I am posting here. Also, I am not sure whether
this is a Cinnamon bug or Xorg bug.

For the exploit to work, more than one keyboard layout needs to be
configured in Cinnamon keyboard settings, on the "layouts" tab. In the
demo VMs linked below, that's English and Russian. Instructions:

1. Boot the system. Or, boot a demo VM using the provided ./start.sh script.
2. Log in. In the demo VMs, the username is "user" and the password is
"password".
3. Lock the screen, using the "Lock Screen" icon in the main menu.
4.  Click the following using your mouse. On real hardware, a
touchscreen also works, so watch out for cats doing this by accident
 Important: do not use a hardware keyboard.

 * The virtual keyboard button at the bottom. The virtual keyboard
should appear.
 * The country flag or two-letter code on the left of the password
field. It should switch to RU, Russian.
 * The "q" virtual key, maybe more than once (what apparently matters
is that the character is not in the layout indicated in the password
field).

You may need to wait a few seconds for cinnamon-screensaver to actually crash.

Distributions affected:

Linux Mint 20.1 with Cinnamon DE:
https://u.pcloud.link/publink/show?code=kZBnOYXZq6WVUsKA6VQgrz9HgBGiyBC2JreX
cinnamon-screensaver 4.8.1+ulyssa, xserver-xorg-core 2:1.20.8-2ubuntu2.6
Note: if one updates the xserver-xorg-core package using apt (to
2:1.20.9-2ubuntu1.1~20.04.1) and reboots the VM, the bug is no longer
reproducible, so it may be a Xorg problem, not Cinnamon DE problem,
after all. The changelog entry for 2:1.20.8-2ubuntu6 does ring a bell,
it's for CVE-2020-14345 "Correct bounds checking in XkbSetNames()",
https://gitlab.freedesktop.org/xorg/xserver/-/commit/f7cd1276bbd4fe3a9700096dec33b52b8440788d
. However, the _XkbCheckRequestBounds() function added by this patch
also exists in the xorg-server version used by Arch Linux, so this
can't be it.

Debian Testing:
https://u.pcloud.link/publink/show?code=kZGwUYXZC1oC2dQq0TzDxhB0OBAL87B7JAaV
This distribution has 4.8.1-2, the only patch is for the path to PNG
versions of country flags. xserver-xorg-core is at 2:1.20.10-2, the
only patch is for a MIPS-specific build issue, obviously irrelevant
here. Dist-upgrading to Debian Unstable and rebooting does not fix the
bug.

Arch Linux: https://u.pcloud.link/publink/show?code=kZWfUYXZ7gbkkdrvvALNp1WkDy2EkJCjBAH7
This distribution also has the latest released cinnamon-screensaver,
4.8.1-1. xorg-server version is 1.20.10-3, the only patches applied
are for the build system, not for C code.

Note: for the purpose of not destroying the evidence, the VMs above
use "snapshot=on", so all changes will be lost on shutdown. Rebooting
is OK.

Distributions not affected:

Fedora 33 (automatically switches the layout to US)
cinnamon-screensaver 4.6.0-2.fc33
xorg-x11-server-common-1.20.10-1.fc33 in updates

Fedora 34 pre-release (Rawhide, also automatically switches the layout to US)
cinnamon-screensaver 4.8.1-1.fc34
xorg-x11-server-common 1.20.10-1.fc34

Debian 10 (cinnamon-screensaver 3.8.2-1 does not have a virtual keyboard)

I have not tested anything else. The above data points do not let me
conclude which package is responsible, so I cannot file a CVE at this
point.

References:
https://github.com/linuxmint/cinnamon-screensaver/issues/354
https://www.openwall.com/lists/oss-security/2021/01/15/1
Comment 1 Robert Frohl 2021-01-18 15:46:52 UTC
potentially related to CVE-2020-25712 [0], no CVE assigned as far as I can tell so far.

[0] https://bugzilla.suse.com/show_bug.cgi?id=CVE-2020-25712