Bug 188149
| Summary: | CVE-2004-2655 xscreensaver passes password to other applications | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 3 | Reporter: | Issue Tracker <tao> | ||||
| Component: | xscreensaver | Assignee: | Ray Strode [halfline] <rstrode> | ||||
| Status: | CLOSED ERRATA | QA Contact: | |||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 3.0 | CC: | security-response-team, tao | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | impact=moderate,reported=20060406,source=redhat,public=20040512 | ||||||
| Fixed In Version: | RHSA-2006-0498 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2006-05-23 20:31:46 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Issue Tracker
2006-04-06 13:52:03 UTC
Under certain circumstances, it is possible for a running application to steal the focus from xscreensaver (such as rdesktop). This can lead to a users password entered into the application in question, possibly leaking it to the outside world. More information here: http://www.derkeiler.com/Newsgroups/comp.os.linux.security/2004-08/0018.html and here: http://www.jwz.org/xscreensaver/changelog.html (Do a search in the page for 'rdesktop' as there is no anchor for the 4.16 changelog entry). Do we know if this affects RHEL2.1? While we don't ship rdesktop for RHEL2.1, it is possible other things could trigger this flaw. I don't have anything to connect rdesktop to in order to test this. Created attachment 127565 [details]
Patch extracted from upstream tarballs
So the really interesting part of the patch is this change: - return (kstatus == GrabSuccess || - mstatus == GrabSuccess); ... + if (kstatus != GrabSuccess) /* Do not blank without a kbd grab. */ + return False; Previously it would blank the screen even if it couldn't get a keyboard grab (as long as it could get a mouse grab). That's broken and why rdesktop was causing problems. The other bits of the patch also look okay, with the exception of: + XSetInputFocus (si->dpy, None, RevertToNone, CurrentTime); In general, it's a bad idea to ever set the focus to None. The reasoning is, global keybindings are normally setup by calling XGrabKey on the root window, so if the root window or one of its ancestors doesn't have focus then global keybindings stop working. I realize it's going to grab the keyboard anyway, so it doesn't matter, but I think we should still change it to XSetInputFocus (si->dpy, window, RevertToPointerRoot, CurrentTime) and pass the xscreensaver window to focus into the nuke_focus function (and maybe call it take_focus instead of nuke_focus). I meant descendents when I said ancestors in comment 44, of course. To answer comment 41, it does look like this affects rhel 2.1. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2006-0498.html |