Bug 188149 - CVE-2004-2655 xscreensaver passes password to other applications
CVE-2004-2655 xscreensaver passes password to other applications
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: xscreensaver (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Ray Strode [halfline]
: Security
Depends On:
  Show dependency treegraph
Reported: 2006-04-06 09:52 EDT by Issue Tracker
Modified: 2007-11-30 17:07 EST (History)
2 users (show)

See Also:
Fixed In Version: RHSA-2006-0498
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-05-23 16:31:46 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch extracted from upstream tarballs (4.69 KB, patch)
2006-04-10 14:12 EDT, Josh Bressers
no flags Details | Diff

  None (edit)
Description Issue Tracker 2006-04-06 09:52:03 EDT
Escalated to Bugzilla from IssueTracker
Comment 40 Josh Bressers 2006-04-06 13:34:47 EDT
Under certain circumstances, it is possible for a running application to steal
the focus from xscreensaver (such as rdesktop).  This can lead to a users
password entered into the application in question, possibly leaking it to the
outside world.

More information here:

and here:
(Do a search in the page for 'rdesktop' as there is no anchor for the 4.16
changelog entry).
Comment 41 Josh Bressers 2006-04-06 13:36:43 EDT
Do we know if this affects RHEL2.1?  While we don't ship rdesktop for RHEL2.1,
it is possible other things could trigger this flaw.  I don't have anything to
connect rdesktop to in order to test this.
Comment 42 Josh Bressers 2006-04-10 14:12:17 EDT
Created attachment 127565 [details]
Patch extracted from upstream tarballs
Comment 44 Ray Strode [halfline] 2006-04-10 17:36:28 EDT
So the really interesting part of the patch is this change:

-  return (kstatus == GrabSuccess ||
-	  mstatus == GrabSuccess);
+  if (kstatus != GrabSuccess)	/* Do not blank without a kbd grab.   */
+    return False;

Previously it would blank the screen even if it couldn't get a keyboard grab (as
long as it could get a mouse grab).  That's broken and why rdesktop was causing

The other bits of the patch also look okay, with the exception of:

+  XSetInputFocus (si->dpy, None, RevertToNone, CurrentTime);

In general, it's a bad idea to ever set the focus to None.  The reasoning is,
global keybindings are normally setup by calling XGrabKey on the root window, so
if the root window or one of its ancestors doesn't have focus then global
keybindings stop working. 

I realize it's going to grab the keyboard anyway, so it doesn't matter, but I
think we should still change it to XSetInputFocus (si->dpy, window,
RevertToPointerRoot, CurrentTime) and pass the xscreensaver window to focus into
the nuke_focus function (and maybe call it take_focus instead of nuke_focus).
Comment 45 Ray Strode [halfline] 2006-04-11 14:31:31 EDT
I meant descendents when I said ancestors in comment 44, of course.

To answer comment 41, it does look like this affects rhel 2.1.
Comment 52 Red Hat Bugzilla 2006-05-23 16:31:46 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.