Bug 564464 (CVE-2010-0422)

Summary: CVE-2010-0422 gnome-screensaver: loses its unlock dialog and keyboard grab sometimes when plugging and unplugging monitor repeatedly
Product: [Other] Security Response Reporter: Ray Strode [halfline] <rstrode>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: MODIFIED --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dakshay, matt, tpelka, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 564475    
Bug Blocks:    
Attachments:
Description Flags
patch to fix the problem none

Description Ray Strode [halfline] 2010-02-12 20:13:25 UTC 
gnome-screensaver can lose its keyboard grab when locked, exposing the system to intrusion by adding and removing monitors.

This issue is similar to but different than bug 609337 (CVE-2010-0414)

Steps to reproduce:

1) Lock screen
2) Plug in new monitor and wait for unlock dialog to show on it.
3) Unplug new monitor, watch unlock dialog move to primary monitor
4) Replug new monitor, watch unlock dialog stay on primary monitor
5) Unplug new monitor
6) hit alt-f2 and type "pkill -f gnome-screensaver"
Comment 1 Ray Strode [halfline] 2010-02-12 20:16:04 UTC 
Created attachment 390573 [details]
patch to fix the problem
Comment 2 Vincent Danen 2010-02-12 20:17:57 UTC 
As with the other similar issue, this one only affects gnome-screensaver 2.28, so only Fedora 12 is affected.

Please use CVE-2010-0422 for this issue.
Comment 4 Ray Strode [halfline] 2010-02-12 22:13:27 UTC 
Fixes are upstream here:

http://git.gnome.org/browse/gnome-screensaver/commit/?id=d4dcbd65a2df3c093c4e3a74bbbc75383eb9eadb
http://git.gnome.org/browse/gnome-screensaver/commit/?id=271ae93d7b140b8ba40d77f9e4ce894e5fd1b554
http://git.gnome.org/browse/gnome-screensaver/commit/?id=f93a22c175090cf02e80bc3ee676b53f1251f685
Comment 5 Matt McCutchen 2010-02-13 07:20:17 UTC 
Wow, gnome-screensaver's hold on the X session is more fragile than I would have expected.  It makes me wish the X server would give us more help securely locking the screen and perhaps keeping it locked even if gnome-screensaver crashes ("fail-secure").
Comment 6 Fedora Update System 2010-02-16 13:07:25 UTC 
gnome-screensaver-2.28.3-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Akshay Dua 2010-03-14 22:21:11 UTC 
This problem is still not fixed for me. I am using the latest version: gnome-screensaver-2.28.3-1.fc12. I have a Thinkpad X61 that I use on a docking station most of the time. The docking station has another monitor (Viewsonic VP191b) connected to it. Whenever I disconnect my laptop from the dock and connect it back again, the lock dialog shows up on the laptop screen but I can't type the password into it. The mouse and cursor don't appear at all.

I work around the problem by waiting for the "Time expired" message to show up on the lock dialog. After which, the screen goes dark and then, I can move the mouse to get a fully functional lock dialog back on my laptop screen.

Its also worth noting that every time I disconnect the laptop from the docking station, I get the following error message in a notification dialog "Could not switch the monitor configuration. Could not set the configuration for CRT 56"

Any help will be appreciated.
Comment 8 Matt McCutchen 2010-03-14 22:47:35 UTC 
Re comment #7: "This problem" is the vulnerability described in comment #0.  Unless you are reporting that the vulnerability still exists, please file a separate bug.
Comment 9 Akshay Dua 2010-03-14 22:53:56 UTC 
oops! my apologies, I'll file a separate bug.