Red Hat Bugzilla – Bug 350271
CVE-2007-3920 gnome-screensaver loses keyboard grab when running under compiz
Last modified: 2009-10-23 15:05:29 EDT
Description of problem:
From upstream bugzilla:
If compiz is used and "Unredirected Fullscreen mode" is turned on the
gnome-screensaver keybord grab does not work. Its possible to input into
(hidden) windows then.
Upstream bug report contains patch. Feel free to request freeze break for f8 to
fix this, as it has security implications.
hmm, if what the person says is true, then the patch can't be right. that means
gnome-screensaver is running without a keyboard grab in effect?!
ajax, is "XCompositeUnredirectWindow()" really dropping grabs?
It looks like it is:
for (ccw = cw->clients; ccw; ccw = ccw->next)
if (ccw->update == update && CLIENT_ID(ccw->id) == pClient->index)
FreeResource (ccw->id, RT_NONE);
then FreeResource calls compFreeClientWindow () which does:
UnmapWindow (pWin, FALSE);
(from looking through the code, I haven't verified it actually runs that way in
This is an X server bug. One client shouldn't be able to break the grabs of
So ajax and I talked to keithp about this a bit on IRC.
It's apparently hard to make XCompositeUnredirectWindow not have an intermediate
unmap, and while breaking grabs is sort of an unexpected side effect, this side
effect is not likely to go away in the near future.
In case it's not clear, this is not an xserver security issue. Any client can
break the grabs of any other client, snoop on any other client, or even
disconnect any other client by design.
What this is, is a compiz bug. It shouldn't be unredirecting after map. It
should check if the window is fullscreen and unredirecting before the map.
moving to compiz.
I'm moving this to the security response product for tracking.
Here is the upstream bug report:
It's a bug in the xserver that it breaks grabs when a window is redirected or
unredirected. I committed a fix upstream:
and have built the new X server in rawhide.
Awesome work, Kristian!
It's nice to see the fix wasn't as invasive as initially expected.
xorg-x11-server-188.8.131.52-40.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
xorg-x11-server-184.108.40.206-16.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
I'm marking this as low after discussing it with krh:
"this one is disabled by default, not documented, and you have to navigate
through gconf-editor to enable it"
Reporter changed to firstname.lastname@example.org by request of Jay Turner.