oss-sec mailing list archives

cinnamon-screensaver lock bypass (tested on Fedora 20)

From: Clemens Fries <clemens () xenoworld de>
Date: Wed, 12 Feb 2014 10:48:28 +0100 (CET)

Hello,

It is possible to circumvent the screen lock on a cinnamon session under Fedora
20 using the 'Menu' key on a keyboard. I'm posting this here, because I assume
that this is not limited to the version shipped with Fedora.

Steps to reproduce:

* Start cinnamon session
* Lock the screen (Ctrl+Alt+L)
* Press the 'Menu' key on the keyboard
* A menu appears for a brief moment
* Press 'Escape'
* Focus is now beneath the screensaver
* Press Alt+F2
* Start 'gnome-terminal'
* Type 'killall cinnamon-screensaver'

Seen on a fully patched Fedora 20 (February 12th, 2014). I had a brief look at
bugzilla.redhat.com, but it seems this has not been reported. I also tested
this on a second machine with the same outcome.

Some version information:

$ rpm -qi cinnamon
Name        : cinnamon
Version     : 2.0.14
Release     : 4.fc20
Architecture: x86_64
[...]

$ rpm -qi cinnamon-screensaver
Name        : cinnamon-screensaver
Version     : 2.0.3
Release     : 1.fc20
Architecture: x86_64
[...]


Kind regards,
Clemens

Current thread:

cinnamon-screensaver lock bypass (tested on Fedora 20) Clemens Fries (Feb 12)
- Re: cinnamon-screensaver lock bypass (tested on Fedora 20) cve-assign (Feb 12)
- Re: cinnamon-screensaver lock bypass (tested on Fedora 20) Murray McAllister (Feb 12)