Bug 350271 (CVE-2007-3920) - CVE-2007-3920 gnome-screensaver loses keyboard grab when running under compiz
Summary: CVE-2007-3920 gnome-screensaver loses keyboard grab when running under compiz
Keywords:
Status: CLOSED WORKSFORME
Alias: CVE-2007-3920
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Kristian Høgsberg
QA Contact: Fedora Extras Quality Assurance
URL: http://bugzilla.gnome.org/show_bug.cg...
Whiteboard:
Depends On: 357071 357081 357091 357101 357111 363061
Blocks: 443862
TreeView+ depends on / blocked
 
Reported: 2007-10-24 10:47 UTC by Red Hat Product Security
Modified: 2019-09-29 12:22 UTC (History)
7 users (show)

Fixed In Version: 1.3.0.0-40.fc8
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-09-17 19:13:34 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0485 normal SHIPPED_LIVE Low: compiz security update 2008-05-21 14:13:49 UTC

Description Lubomir Kundrak 2007-10-24 10:47:28 UTC
Description of problem:

From upstream bugzilla:

If compiz is used and "Unredirected Fullscreen mode" is turned on the
gnome-screensaver keybord grab does not work. Its possible to input into
(hidden) windows then. 

Additional info:

Upstream bug report contains patch. Feel free to request freeze break for f8 to
fix this, as it has security implications.

References:

https://launchpad.net/bugs/145123
http://bugzilla.gnome.org/show_bug.cgi?id=488264

Comment 1 Ray Strode [halfline] 2007-10-24 11:41:31 UTC
hmm, if what the person says is true, then the patch can't be right.  that means
gnome-screensaver is running without a keyboard grab in effect?!

Comment 2 Ray Strode [halfline] 2007-10-24 11:43:08 UTC
ajax, is "XCompositeUnredirectWindow()" really dropping grabs?

Comment 3 Ray Strode [halfline] 2007-10-24 15:16:17 UTC
It looks like it is:

    for (ccw = cw->clients; ccw; ccw = ccw->next)
        if (ccw->update == update && CLIENT_ID(ccw->id) == pClient->index)     
        {
            FreeResource (ccw->id, RT_NONE);
            return Success;
        }

then FreeResource calls compFreeClientWindow () which does:

            UnmapWindow (pWin, FALSE);

(from looking through the code, I haven't verified it actually runs that way in
practice).

This is an X server bug.  One client shouldn't be able to break the grabs of
another.

Comment 4 Ray Strode [halfline] 2007-10-24 18:31:55 UTC
So ajax and I talked to keithp about this a bit on IRC.

It's apparently hard to make XCompositeUnredirectWindow not have an intermediate
unmap, and while breaking grabs is sort of an unexpected side effect, this side
effect is not likely to go away in the near future.

In case it's not clear, this is not an xserver security issue.  Any client can
break the grabs of any other client, snoop on any other client, or even
disconnect any other client by design.

What this is, is a compiz bug.  It shouldn't be unredirecting after map.  It
should check if the window is fullscreen and unredirecting before the map.

moving to compiz.

Comment 5 Josh Bressers 2007-10-29 18:17:54 UTC
I'm moving this to the security response product for tracking.

Comment 8 Josh Bressers 2008-01-11 18:20:53 UTC
Here is the upstream bug report:
http://bugs.opencompositing.org/show_bug.cgi?id=668

Comment 9 Kristian Høgsberg 2008-01-17 03:03:21 UTC
It's a bug in the xserver that it breaks grabs when a window is redirected or
unredirected.  I committed a fix upstream:

http://cgit.freedesktop.org/xorg/xserver/commit/?id=a6a7fadbb03ee99312dfb15ac478ab3c414c1c0b

and have built the new X server in rawhide.  

Comment 11 Ray Strode [halfline] 2008-01-17 17:47:11 UTC
Awesome work, Kristian!

It's nice to see the fix wasn't as invasive as initially expected.

Comment 12 Fedora Update System 2008-01-24 21:49:20 UTC
xorg-x11-server-1.3.0.0-40.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2008-01-24 21:58:02 UTC
xorg-x11-server-1.3.0.0-16.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Josh Bressers 2008-01-28 21:23:15 UTC
I'm marking this as low after discussing it with krh:
    "this one is disabled by default, not documented, and you have to navigate
     through gconf-editor to enable it"

Comment 16 Red Hat Bugzilla 2009-10-23 19:05:29 UTC
Reporter changed to security-response-team@redhat.com by request of Jay Turner.


Note You need to log in before you can comment on or make changes to this bug.