Bug 188149 - CVE-2004-2655 xscreensaver passes password to other applications
Summary: CVE-2004-2655 xscreensaver passes password to other applications
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: xscreensaver
Version: 3.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Ray Strode [halfline]
QA Contact:
URL:
Whiteboard: impact=moderate,reported=20060406,sou...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-04-06 13:52 UTC by Issue Tracker
Modified: 2007-11-30 22:07 UTC (History)
2 users (show)

Fixed In Version: RHSA-2006-0498
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-05-23 20:31:46 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Patch extracted from upstream tarballs (4.69 KB, patch)
2006-04-10 18:12 UTC, Josh Bressers 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2006:0498 0 normal SHIPPED_LIVE Moderate: xscreensaver security update 2006-05-23 04:00:00 UTC

Description Issue Tracker 2006-04-06 13:52:03 UTC 
Escalated to Bugzilla from IssueTracker
Comment 40 Josh Bressers 2006-04-06 17:34:47 UTC 
Under certain circumstances, it is possible for a running application to steal
the focus from xscreensaver (such as rdesktop).  This can lead to a users
password entered into the application in question, possibly leaking it to the
outside world.

More information here:
http://www.derkeiler.com/Newsgroups/comp.os.linux.security/2004-08/0018.html

and here:
http://www.jwz.org/xscreensaver/changelog.html
(Do a search in the page for 'rdesktop' as there is no anchor for the 4.16
changelog entry).
Comment 41 Josh Bressers 2006-04-06 17:36:43 UTC 
Do we know if this affects RHEL2.1?  While we don't ship rdesktop for RHEL2.1,
it is possible other things could trigger this flaw.  I don't have anything to
connect rdesktop to in order to test this.
Comment 42 Josh Bressers 2006-04-10 18:12:17 UTC 
Created attachment 127565 [details]
Patch extracted from upstream tarballs
Comment 44 Ray Strode [halfline] 2006-04-10 21:36:28 UTC 
So the really interesting part of the patch is this change:

-  return (kstatus == GrabSuccess ||
-	  mstatus == GrabSuccess);
...
+  if (kstatus != GrabSuccess)	/* Do not blank without a kbd grab.   */
+    return False;

Previously it would blank the screen even if it couldn't get a keyboard grab (as
long as it could get a mouse grab).  That's broken and why rdesktop was causing
problems.

The other bits of the patch also look okay, with the exception of:

+  XSetInputFocus (si->dpy, None, RevertToNone, CurrentTime);

In general, it's a bad idea to ever set the focus to None.  The reasoning is,
global keybindings are normally setup by calling XGrabKey on the root window, so
if the root window or one of its ancestors doesn't have focus then global
keybindings stop working. 

I realize it's going to grab the keyboard anyway, so it doesn't matter, but I
think we should still change it to XSetInputFocus (si->dpy, window,
RevertToPointerRoot, CurrentTime) and pass the xscreensaver window to focus into
the nuke_focus function (and maybe call it take_focus instead of nuke_focus).
Comment 45 Ray Strode [halfline] 2006-04-11 18:31:31 UTC 
I meant descendents when I said ancestors in comment 44, of course.

To answer comment 41, it does look like this affects rhel 2.1.
Comment 52 Red Hat Bugzilla 2006-05-23 20:31:46 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0498.html
Note You need to log in before you can comment on or make changes to this bug.