Bug 1064695 (CVE-2014-1949)

Summary: CVE-2014-1949 cinnamon: bypass screensaver lock via the keyboard's Menu key
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, fedora, leigh123linux
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-31 07:24:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1064697    
Bug Blocks:    

Description Murray McAllister 2014-02-13 06:11:10 UTC 
Clemens Fries reported that, when using Cinnamon, it was possible to bypass the screensaver lock:

http://seclists.org/oss-sec/2014/q1/327

An attacker with physical access to the machine could use this flaw to take over the locked desktop session.

A patch is currently not yet available.
Comment 1 Murray McAllister 2014-02-13 06:12:30 UTC 
Created cinnamon tracking bugs for this issue:

Affects: fedora-all [bug 1064697]
Comment 2 Martin Prpič 2014-08-25 15:20:27 UTC 
Note that a similar issue was reported [1], which causes cinnamon to freeze when holding the 'menu' key. The original patch fixed this issue for the 'super' key (aka windows key) but the issue pertains for the menu key. Patch at [2] solves this issue.

A full explanation can be found at [3].

[1] https://github.com/linuxmint/Cinnamon/issues/3443
[2] https://github.com/mtwebster/cinnamon-screensaver/commit/da7af55f1fa966c52e15cc288d4f8928eca8cc9f
[3] https://github.com/linuxmint/Cinnamon/issues/3443#issuecomment-53219893
Comment 3 leigh scott 2014-08-26 08:48:00 UTC 
(In reply to Martin Prpic from comment #2)
> Note that a similar issue was reported [1], which causes cinnamon to freeze
> when holding the 'menu' key. The original patch fixed this issue for the
> 'super' key (aka windows key) but the issue pertains for the menu key. Patch
> at [2] solves this issue.
> 
> A full explanation can be found at [3].
> 
> [1] https://github.com/linuxmint/Cinnamon/issues/3443
> [2]
> https://github.com/mtwebster/cinnamon-screensaver/commit/
> da7af55f1fa966c52e15cc288d4f8928eca8cc9f
> [3] https://github.com/linuxmint/Cinnamon/issues/3443#issuecomment-53219893

Or better still is to fix the root cause.

https://admin.fedoraproject.org/updates/gtk3-3.10.9-2.fc20

https://bugzilla.gnome.org/show_bug.cgi?id=722106
Comment 4 Fedora Update System 2014-08-28 15:34:54 UTC 
gtk3-3.10.9-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 leigh scott 2015-07-31 07:24:07 UTC 
fixed in gtk3