Red Hat Bugzilla – Bug 188149
CVE-2004-2655 xscreensaver passes password to other applications
Last modified: 2007-11-30 17:07:09 EST
Escalated to Bugzilla from IssueTracker
Under certain circumstances, it is possible for a running application to steal
the focus from xscreensaver (such as rdesktop). This can lead to a users
password entered into the application in question, possibly leaking it to the
More information here:
(Do a search in the page for 'rdesktop' as there is no anchor for the 4.16
Do we know if this affects RHEL2.1? While we don't ship rdesktop for RHEL2.1,
it is possible other things could trigger this flaw. I don't have anything to
connect rdesktop to in order to test this.
Created attachment 127565 [details]
Patch extracted from upstream tarballs
So the really interesting part of the patch is this change:
- return (kstatus == GrabSuccess ||
- mstatus == GrabSuccess);
+ if (kstatus != GrabSuccess) /* Do not blank without a kbd grab. */
+ return False;
Previously it would blank the screen even if it couldn't get a keyboard grab (as
long as it could get a mouse grab). That's broken and why rdesktop was causing
The other bits of the patch also look okay, with the exception of:
+ XSetInputFocus (si->dpy, None, RevertToNone, CurrentTime);
In general, it's a bad idea to ever set the focus to None. The reasoning is,
global keybindings are normally setup by calling XGrabKey on the root window, so
if the root window or one of its ancestors doesn't have focus then global
keybindings stop working.
I realize it's going to grab the keyboard anyway, so it doesn't matter, but I
think we should still change it to XSetInputFocus (si->dpy, window,
RevertToPointerRoot, CurrentTime) and pass the xscreensaver window to focus into
the nuke_focus function (and maybe call it take_focus instead of nuke_focus).
I meant descendents when I said ancestors in comment 44, of course.
To answer comment 41, it does look like this affects rhel 2.1.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.