Bug 1274452 - Xscreensaver lock bypass
Xscreensaver lock bypass
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: xscreensaver (Show other bugs)
22
Unspecified Unspecified
unspecified Severity urgent
: ---
: ---
Assigned To: Mamoru TASAKA
Fedora Extras Quality Assurance
: Security, SecurityTracking
: 1276357 (view as bug list)
Depends On:
Blocks: CVE-2015-8025 1276355
  Show dependency treegraph
 
Reported: 2015-10-22 14:27 EDT by Jean-Christophe Baptiste
Modified: 2016-11-08 11:25 EST (History)
4 users (show)

See Also:
Fixed In Version: xscreensaver-5.34-1.fc22
Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-05 18:24:20 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jean-Christophe Baptiste 2015-10-22 14:27:59 EDT
Description of problem:

In HDMI multi-screen setups, xscreensaver crashes (segfault) when the external screen is plug out.

Then, the screen is unlocked.

How reproducible:


Steps to Reproduce:
1. Enable a dual screen configuration with an HDMI external screen
2. Lock the desktop (XFCE in my case)
3. Unplug the HDMI cable

Actual results:

The desktop is now unlocked

Expected results:

The change should be handled and in any case the desktop shall remain locked.

Additional info:

Video and discussion: https://twitter.com/Thaolia/status/656823859304398848
Comment 1 Mamoru TASAKA 2015-10-22 20:16:19 EDT
I cannot reproduce this issue.

* Would you result the result of 
  $ rpm -qa | sort
  ?

* Would you attach the result of
  $ xrandr
  before and after you unplug the HDMI cable?

* Would you attach
  /var/log/Xorg.0.log ?

* Would you attach the result of gdb backtrace?
Comment 2 Mamoru TASAKA 2015-10-22 20:19:49 EDT
Note that "xscreensaver segfaults" does not immediately mean that xscreensaver is the culprit.
Comment 3 Jean-Christophe Baptiste 2015-10-23 05:32:45 EDT
I cannot reproduce the issue all the time, and sometimes it simply crashes freezing all Xorg, so I have to hard reboot.

So I am having hard time catching the backtrace.

Now I have to get my machine back to work and secure, so I am falling back to slock.

Not sure I can help much for now and for security reasons I cannot not send you all the info you request. Can you narrow it down (packages, errors, etc.)?

A common point with the guy that reported the bug first on Twitter seems to be that we are on Intel graphics.
Please note that he did post a gdb screenshot showing a NULL pointer reference on a cmp instruction. He may be able to help you more with the full backtrace and more details.
Comment 4 Mamoru TASAKA 2015-10-24 11:14:29 EDT
The upstream developer and me already tracked down the cause and hopefully the upstream release the new version.
Comment 5 Fedora Update System 2015-10-24 11:18:51 EDT
xscreensaver-5.33-5.respin1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-19b2b73dc5
Comment 6 Fedora Update System 2015-10-24 11:19:17 EDT
xscreensaver-5.33-5.respin1.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-0d0df8d770
Comment 7 Fedora Update System 2015-10-24 11:19:38 EDT
xscreensaver-5.33-5.respin1.fc21 has been submitted as an update to Fedora 21. https://bodhi.fedoraproject.org/updates/FEDORA-2015-adfd729dbc
Comment 8 Mamoru TASAKA 2015-10-24 21:10:22 EDT
xscreensaver 5.34 is released, which should address this issue (Fedora 5.33-5 includes the fix by the upstream)
Comment 9 Fedora Update System 2015-10-26 22:19:43 EDT
xscreensaver-5.34-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update xscreensaver'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-19b2b73dc5
Comment 10 Fedora Update System 2015-10-28 14:22:02 EDT
xscreensaver-5.34-1.fc21 has been pushed to the Fedora 21 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update xscreensaver'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-adfd729dbc
Comment 11 Fedora Update System 2015-10-28 16:26:45 EDT
xscreensaver-5.34-1.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update xscreensaver'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-0d0df8d770
Comment 12 Mamoru TASAKA 2015-10-29 18:47:13 EDT
http://www.openwall.com/lists/oss-security/2015/10/29/12
CVE-2015-8025 is now assigned.
Comment 13 Mamoru TASAKA 2015-10-30 05:50:22 EDT
*** Bug 1276357 has been marked as a duplicate of this bug. ***
Comment 14 Fedora Update System 2015-11-02 13:52:37 EST
xscreensaver-5.34-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2015-11-05 16:49:22 EST
xscreensaver-5.34-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2015-11-05 18:24:17 EST
xscreensaver-5.34-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.