Bug 1962836 (CVE-2021-3567)

Summary: CVE-2021-3567 caribou: segfault on pressing ē since Xorg CVE-2020-25712 fix
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dueno, jcpunk, leigh123linux, pnemade
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: caribou 0.4.21 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Caribou due to a regression of CVE-2020-25712 fix. An attacker could use this flaw to bypass screen-locking applications that leverage Caribou as an input mechanism. The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-26 17:32:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1962837, 1962838    
Bug Blocks: 1962839, 1965598    

Description Guilherme de Almeida Suckevicz 2021-05-20 16:36:53 UTC 
It was discovered that the Caribou onscreen keyboard could be made to crash when given certain input values. An attacker could use this to bypass screen-locking applications that support using Caribou as an input mechanism.

Reference:
https://bugs.launchpad.net/ubuntu/+source/caribou/+bug/1912060
Comment 1 Guilherme de Almeida Suckevicz 2021-05-20 16:37:15 UTC 
Created caribou tracking bugs for this issue:

Affects: epel-7 [bug 1962838]
Affects: fedora-all [bug 1962837]
Comment 2 Mauro Matteo Cascella 2021-05-26 14:08:36 UTC 
Upstream merge request:
https://gitlab.gnome.org/GNOME/caribou/-/merge_requests/3

Upstream fix:
https://gitlab.gnome.org/GNOME/caribou/-/commit/d41c8e44b12222a290eaca16703406b113a630c6
Comment 3 Mauro Matteo Cascella 2021-05-26 14:13:05 UTC 
Not strictly required from a security perspective, these are related issues/commits that have been ported upstream from Linux Mint:

https://gitlab.gnome.org/GNOME/caribou/-/issues/7
https://gitlab.gnome.org/GNOME/caribou/-/commit/76fbd11575f918fc898cb0f5defe07f67c11ec38

https://gitlab.gnome.org/GNOME/caribou/-/merge_requests/5
https://gitlab.gnome.org/GNOME/caribou/-/commit/ba8219ccc67d1d0964fb9ff25125c3be5fb80681
Comment 4 Mauro Matteo Cascella 2021-05-26 14:51:35 UTC 
In reply to comment #0:
> It was discovered that the Caribou onscreen keyboard could be made to crash
> when given certain input values. An attacker could use this to bypass
> screen-locking applications that support using Caribou as an input mechanism.

Specifically, this was first reported in the on-screen keyboard which runs within the Cinnamon process and uses libcaribou. Pressing ē led to a Cinnamon crash and possible screensaver lock bypass.

Cinnamon issue:
https://github.com/linuxmint/cinnamon-screensaver/issues/354
Comment 5 Mauro Matteo Cascella 2021-05-26 14:58:14 UTC 
It is worth noting that caribou is only shipped with Red Hat Enterprise Linux 7 (caribou-0.4.21) while cinnamon-screensaver is not shipped in Red Hat products.