Bug 350271 - (CVE-2007-3920) CVE-2007-3920 gnome-screensaver loses keyboard grab when running under compiz
CVE-2007-3920 gnome-screensaver loses keyboard grab when running under compiz
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Kristian Høgsberg
Fedora Extras Quality Assurance
: Reopened, Security
Depends On: 357071 357081 357091 357101 357111 363061
Blocks: 443862
  Show dependency treegraph
Reported: 2007-10-24 06:47 EDT by Red Hat Product Security
Modified: 2009-10-23 15:05 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-09-17 15:13:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Lubomir Kundrak 2007-10-24 06:47:28 EDT
Description of problem:

From upstream bugzilla:

If compiz is used and "Unredirected Fullscreen mode" is turned on the
gnome-screensaver keybord grab does not work. Its possible to input into
(hidden) windows then. 

Additional info:

Upstream bug report contains patch. Feel free to request freeze break for f8 to
fix this, as it has security implications.


Comment 1 Ray Strode [halfline] 2007-10-24 07:41:31 EDT
hmm, if what the person says is true, then the patch can't be right.  that means
gnome-screensaver is running without a keyboard grab in effect?!
Comment 2 Ray Strode [halfline] 2007-10-24 07:43:08 EDT
ajax, is "XCompositeUnredirectWindow()" really dropping grabs?
Comment 3 Ray Strode [halfline] 2007-10-24 11:16:17 EDT
It looks like it is:

    for (ccw = cw->clients; ccw; ccw = ccw->next)
        if (ccw->update == update && CLIENT_ID(ccw->id) == pClient->index)     
            FreeResource (ccw->id, RT_NONE);
            return Success;

then FreeResource calls compFreeClientWindow () which does:

            UnmapWindow (pWin, FALSE);

(from looking through the code, I haven't verified it actually runs that way in

This is an X server bug.  One client shouldn't be able to break the grabs of
Comment 4 Ray Strode [halfline] 2007-10-24 14:31:55 EDT
So ajax and I talked to keithp about this a bit on IRC.

It's apparently hard to make XCompositeUnredirectWindow not have an intermediate
unmap, and while breaking grabs is sort of an unexpected side effect, this side
effect is not likely to go away in the near future.

In case it's not clear, this is not an xserver security issue.  Any client can
break the grabs of any other client, snoop on any other client, or even
disconnect any other client by design.

What this is, is a compiz bug.  It shouldn't be unredirecting after map.  It
should check if the window is fullscreen and unredirecting before the map.

moving to compiz.
Comment 5 Josh Bressers 2007-10-29 14:17:54 EDT
I'm moving this to the security response product for tracking.
Comment 8 Josh Bressers 2008-01-11 13:20:53 EST
Here is the upstream bug report:
Comment 9 Kristian Høgsberg 2008-01-16 22:03:21 EST
It's a bug in the xserver that it breaks grabs when a window is redirected or
unredirected.  I committed a fix upstream:


and have built the new X server in rawhide.  
Comment 11 Ray Strode [halfline] 2008-01-17 12:47:11 EST
Awesome work, Kristian!

It's nice to see the fix wasn't as invasive as initially expected.
Comment 12 Fedora Update System 2008-01-24 16:49:20 EST
xorg-x11-server- has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2008-01-24 16:58:02 EST
xorg-x11-server- has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Josh Bressers 2008-01-28 16:23:15 EST
I'm marking this as low after discussing it with krh:
    "this one is disabled by default, not documented, and you have to navigate
     through gconf-editor to enable it"
Comment 16 Red Hat Bugzilla 2009-10-23 15:05:29 EDT
Reporter changed to security-response-team@redhat.com by request of Jay Turner.

Note You need to log in before you can comment on or make changes to this bug.