Re: [vs] Cinnamon lock screen bypass in multiple distributions

["Alexander E. Patrakov" <patrakov () gmail com>]

As this is already public, no need to hold it on the distros list.

пт, 15 янв. 2021 г. в 21:05, Clement Lefebvre <
clement.lefebvre () linuxmint com>:

> Hi Alexander,
>
> Many thanks for contacting us. I think it's fixed on our side, but the way
> to reproduce it is slightly different. We use the virtual keyboard and long
> press E, then press E with the bar on top.
>
> You can find the issue and resolution at
> https://github.com/linuxmint/cinnamon-screensaver/issues/354.
>
> It's a regression (or improvement depending on the way to look at it) in
> Xorg. You correctly identified this. It affects libcaribou.
>
> We sent them an MR but I don't think they care... their project looks
> dead: https://gitlab.gnome.org/GNOME/caribou/-/merge_requests/3.
>
> We urged the Arch and Debian maintainers of Cinnamon to take action on
> github already but no CVE was done. Like you, we don't really know if this
> should be against Xorg or libcaribou.
>
> We patched caribou in all Mint releases that were affected (Mint 19.x,
> Mint 20.x and LMDE 4).
>
> Mint 18.x is also affected but the versions of Cinnamon over there are
> lesser than 4.2, so they don't have an on-screen keyboard in their
> screensaver.
>
> Regards,
>
> Clement Lefebvre
> Linux Mint
>
>
>
> On Fri, Jan 15, 2021 at 3:28 PM Alexander E. Patrakov <patrakov () gmail com>
> wrote:
>
> > Hi,
> >
> > I found a trivial way to bypass the screen lock in the Cinnamon DE.
> > However, I don't know how to contact Cinnamon or Linux Mint people
> > properly, that's why I am posting here. Also, I am not sure whether
> > this is a Cinnamon bug or Xorg bug.
> >
> > For the exploit to work, more than one keyboard layout needs to be
> > configured in Cinnamon keyboard settings, on the "layouts" tab. In the
> > demo VMs linked below, that's English and Russian. Instructions:
> >
> > 1. Boot the system. Or, boot a demo VM using the provided ./start.sh
> > script.
> > 2. Log in. In the demo VMs, the username is "user" and the password is
> > "password".
> > 3. Lock the screen, using the "Lock Screen" icon in the main menu.
> > 4.  Click the following using your mouse. On real hardware, a
> > touchscreen also works, so watch out for cats doing this by accident
> > ;) Important: do not use a hardware keyboard.
> >
> >  * The virtual keyboard button at the bottom. The virtual keyboard
> > should appear.
> >  * The country flag or two-letter code on the left of the password
> > field. It should switch to RU, Russian.
> >  * The "q" virtual key, maybe more than once (what apparently matters
> > is that the character is not in the layout indicated in the password
> > field).
> >
> > You may need to wait a few seconds for cinnamon-screensaver to actually
> > crash.
> >
> > Distributions affected:
> >
> > Linux Mint 20.1 with Cinnamon DE:
> >
> > https://u.pcloud.link/publink/show?code=kZBnOYXZq6WVUsKA6VQgrz9HgBGiyBC2JreX
> > cinnamon-screensaver
> > <https://u.pcloud.link/publink/show?code=kZBnOYXZq6WVUsKA6VQgrz9HgBGiyBC2JreXcinnamon-screensaver>
> > 4.8.1+ulyssa, xserver-xorg-core 2:1.20.8-2ubuntu2.6
> > Note: if one updates the xserver-xorg-core package using apt (to
> > 2:1.20.9-2ubuntu1.1~20.04.1) and reboots the VM, the bug is no longer
> > reproducible, so it may be a Xorg problem, not Cinnamon DE problem,
> > after all. The changelog entry for 2:1.20.8-2ubuntu6 does ring a bell,
> > it's for CVE-2020-14345 "Correct bounds checking in XkbSetNames()",
> >
> > https://gitlab.freedesktop.org/xorg/xserver/-/commit/f7cd1276bbd4fe3a9700096dec33b52b8440788d
> > . However, the _XkbCheckRequestBounds() function added by this patch
> > also exists in the xorg-server version used by Arch Linux, so this
> > can't be it.
> >
> > Debian Testing:
> >
> > https://u.pcloud.link/publink/show?code=kZGwUYXZC1oC2dQq0TzDxhB0OBAL87B7JAaV
> > This distribution has 4.8.1-2, the only patch is for the path to PNG
> > versions of country flags. xserver-xorg-core is at 2:1.20.10-2, the
> > only patch is for a MIPS-specific build issue, obviously irrelevant
> > here. Dist-upgrading to Debian Unstable and rebooting does not fix the
> > bug.
> >
> > Arch Linux:
> > https://u.pcloud.link/publink/show?code=kZWfUYXZ7gbkkdrvvALNp1WkDy2EkJCjBAH7
> > This distribution also has the latest released cinnamon-screensaver,
> > 4.8.1-1. xorg-server version is 1.20.10-3, the only patches applied
> > are for the build system, not for C code.
> >
> > Note: for the purpose of not destroying the evidence, the VMs above
> > use "snapshot=on", so all changes will be lost on shutdown. Rebooting
> > is OK.
> >
> > Distributions not affected:
> >
> > Fedora 33 (automatically switches the layout to US)
> > cinnamon-screensaver 4.6.0-2.fc33
> > xorg-x11-server-common-1.20.10-1.fc33 in updates
> >
> > Fedora 34 pre-release (Rawhide, also automatically switches the layout to
> > US)
> > cinnamon-screensaver 4.8.1-1.fc34
> > xorg-x11-server-common 1.20.10-1.fc34
> >
> > Debian 10 (cinnamon-screensaver 3.8.2-1 does not have a virtual keyboard)
> >
> > I have not tested anything else. The above data points do not let me
> > conclude which package is responsible, so I cannot file a CVE at this
> > point.
> >
> > --
> > Alexander E. Patrakov
> > CV: http://u.pc.cd/wT8otalK

-- 
Alexander E. Patrakov
CV: http://u.pc.cd/wT8otalK