Bug 350271 (CVE-2007-3920)
| Summary: | CVE-2007-3920 gnome-screensaver loses keyboard grab when running under compiz | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Red Hat Product Security <security-response-team> |
| Component: | vulnerability | Assignee: | Kristian Høgsberg <krh> |
| Status: | CLOSED WORKSFORME | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | ajax, jmccann, keithp, kreilly, phil, redhat-bugzilla, rstrode |
| Target Milestone: | --- | Keywords: | Reopened, Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://bugzilla.gnome.org/show_bug.cgi?id=488264 | ||
| Whiteboard: | |||
| Fixed In Version: | 1.3.0.0-40.fc8 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-09-17 19:13:34 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 357071, 357081, 357091, 357101, 357111, 363061 | ||
| Bug Blocks: | 443862 | ||
|
Description
Lubomir Kundrak
2007-10-24 10:47:28 UTC
hmm, if what the person says is true, then the patch can't be right. that means gnome-screensaver is running without a keyboard grab in effect?! ajax, is "XCompositeUnredirectWindow()" really dropping grabs? It looks like it is:
for (ccw = cw->clients; ccw; ccw = ccw->next)
if (ccw->update == update && CLIENT_ID(ccw->id) == pClient->index)
{
FreeResource (ccw->id, RT_NONE);
return Success;
}
then FreeResource calls compFreeClientWindow () which does:
UnmapWindow (pWin, FALSE);
(from looking through the code, I haven't verified it actually runs that way in
practice).
This is an X server bug. One client shouldn't be able to break the grabs of
another.
So ajax and I talked to keithp about this a bit on IRC. It's apparently hard to make XCompositeUnredirectWindow not have an intermediate unmap, and while breaking grabs is sort of an unexpected side effect, this side effect is not likely to go away in the near future. In case it's not clear, this is not an xserver security issue. Any client can break the grabs of any other client, snoop on any other client, or even disconnect any other client by design. What this is, is a compiz bug. It shouldn't be unredirecting after map. It should check if the window is fullscreen and unredirecting before the map. moving to compiz. I'm moving this to the security response product for tracking. Here is the upstream bug report: http://bugs.opencompositing.org/show_bug.cgi?id=668 It's a bug in the xserver that it breaks grabs when a window is redirected or unredirected. I committed a fix upstream: http://cgit.freedesktop.org/xorg/xserver/commit/?id=a6a7fadbb03ee99312dfb15ac478ab3c414c1c0b and have built the new X server in rawhide. Awesome work, Kristian! It's nice to see the fix wasn't as invasive as initially expected. xorg-x11-server-1.3.0.0-40.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report. xorg-x11-server-1.3.0.0-16.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report. I'm marking this as low after discussing it with krh:
"this one is disabled by default, not documented, and you have to navigate
through gconf-editor to enable it"
Reporter changed to security-response-team by request of Jay Turner. |