Bug 350271 (CVE-2007-3920)

Summary: CVE-2007-3920 gnome-screensaver loses keyboard grab when running under compiz
Product: [Other] Security Response Reporter: Red Hat Product Security <security-response-team>
Component: vulnerabilityAssignee: Kristian Høgsberg <krh>
Status: CLOSED WORKSFORME QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ajax, jmccann, keithp, kreilly, phil, redhat-bugzilla, rstrode
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://bugzilla.gnome.org/show_bug.cgi?id=488264
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-09-17 19:13:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 357071, 357081, 357091, 357101, 357111, 363061    
Bug Blocks: 443862    

Description Lubomir Kundrak 2007-10-24 10:47:28 UTC
Description of problem:

From upstream bugzilla:

If compiz is used and "Unredirected Fullscreen mode" is turned on the
gnome-screensaver keybord grab does not work. Its possible to input into
(hidden) windows then. 

Additional info:

Upstream bug report contains patch. Feel free to request freeze break for f8 to
fix this, as it has security implications.



Comment 1 Ray Strode [halfline] 2007-10-24 11:41:31 UTC
hmm, if what the person says is true, then the patch can't be right.  that means
gnome-screensaver is running without a keyboard grab in effect?!

Comment 2 Ray Strode [halfline] 2007-10-24 11:43:08 UTC
ajax, is "XCompositeUnredirectWindow()" really dropping grabs?

Comment 3 Ray Strode [halfline] 2007-10-24 15:16:17 UTC
It looks like it is:

    for (ccw = cw->clients; ccw; ccw = ccw->next)
        if (ccw->update == update && CLIENT_ID(ccw->id) == pClient->index)     
            FreeResource (ccw->id, RT_NONE);
            return Success;

then FreeResource calls compFreeClientWindow () which does:

            UnmapWindow (pWin, FALSE);

(from looking through the code, I haven't verified it actually runs that way in

This is an X server bug.  One client shouldn't be able to break the grabs of

Comment 4 Ray Strode [halfline] 2007-10-24 18:31:55 UTC
So ajax and I talked to keithp about this a bit on IRC.

It's apparently hard to make XCompositeUnredirectWindow not have an intermediate
unmap, and while breaking grabs is sort of an unexpected side effect, this side
effect is not likely to go away in the near future.

In case it's not clear, this is not an xserver security issue.  Any client can
break the grabs of any other client, snoop on any other client, or even
disconnect any other client by design.

What this is, is a compiz bug.  It shouldn't be unredirecting after map.  It
should check if the window is fullscreen and unredirecting before the map.

moving to compiz.

Comment 5 Josh Bressers 2007-10-29 18:17:54 UTC
I'm moving this to the security response product for tracking.

Comment 8 Josh Bressers 2008-01-11 18:20:53 UTC
Here is the upstream bug report:

Comment 9 Kristian Høgsberg 2008-01-17 03:03:21 UTC
It's a bug in the xserver that it breaks grabs when a window is redirected or
unredirected.  I committed a fix upstream:


and have built the new X server in rawhide.  

Comment 11 Ray Strode [halfline] 2008-01-17 17:47:11 UTC
Awesome work, Kristian!

It's nice to see the fix wasn't as invasive as initially expected.

Comment 12 Fedora Update System 2008-01-24 21:49:20 UTC
xorg-x11-server- has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2008-01-24 21:58:02 UTC
xorg-x11-server- has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Josh Bressers 2008-01-28 21:23:15 UTC
I'm marking this as low after discussing it with krh:
    "this one is disabled by default, not documented, and you have to navigate
     through gconf-editor to enable it"

Comment 16 Red Hat Bugzilla 2009-10-23 19:05:29 UTC
Reporter changed to security-response-team by request of Jay Turner.