Bug 697199 - gnome-screensaver: Switching users does not lock screen
gnome-screensaver: Switching users does not lock screen
Status: ASSIGNED
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20110416,reported=2...
: Reopened, Security
Depends On: 725187
Blocks:
  Show dependency treegraph
 
Reported: 2011-04-16 15:07 EDT by Need Real Name
Modified: 2015-07-31 08:41 EDT (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-05-02 05:42:36 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Backtrace provided by the reporter (31.85 KB, text/plain)
2011-04-26 05:34 EDT, Jan Lieskovsky
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Bugzilla 725187 None None None Never
GNOME Desktop 648234 None None None Never

  None (edit)
Description Need Real Name 2011-04-16 15:07:43 EDT
Description of problem:
If I switch users the original user's screen is not locked.

Version-Release number of selected component (if applicable):


How reproducible:
Only tried once.

Steps to Reproduce:
1. user1: Choose "switch user", login as user2.
2. user2: Choose "logout"
3.
  
Actual results:
I am returned to user1's desktop without being prompted for a password.

Expected results:


Additional info:
Comment 1 Need Real Name 2011-04-19 01:44:33 EDT
Reproducible: every time.

Switch user then use ctrl+alt+fN to switch back to the original user. The screensaver is not activated.

Security hole -> please up severity.
Comment 2 Jan Lieskovsky 2011-04-19 06:46:14 EDT
Hello,

  thank you for your report.

(In reply to comment #1)
> Reproducible: every time.
> 
> Switch user then use ctrl+alt+fN to switch back to the original user. The
> screensaver is not activated.
> 
> Security hole -> please up severity.

By any chance have you reported this issue upstream:?
[1] https://bugzilla.gnome.org/enter_bug.cgi?product=gnome-desktop

Have searched the currently opened gnome-desktop upstream bugzilla
entries, and could not find one for this issue.

Please provide a link if you already filed one. Otherwise I will
file a new one and contact the upstream developers.

Thank you, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Comment 3 Need Real Name 2011-04-19 12:21:08 EDT
Hello,

No I haven't filed this upstream. Thanks.
Comment 4 Jan Lieskovsky 2011-04-19 13:03:57 EDT
Upstream bug report:
[2] https://bugzilla.gnome.org/show_bug.cgi?id=648234
Comment 5 Need Real Name 2011-04-19 13:19:03 EDT
Low impact?

According to the Classification of Security Issues documented here:
 https://access.redhat.com/security/updates/classification/

This is an Important impact bug.

"This rating is given to flaws that can easily compromise the confidentiality, integrity, or availability of resources. These are the types of vulnerabilities that allow local users to gain privileges, allow unauthenticated remote users to view resources that should otherwise be protected by authentication, allow authenticated remote users to execute arbitrary code, or allow local or remote users to cause a denial of service."
Comment 6 Jan Lieskovsky 2011-04-19 13:29:22 EDT
(In reply to comment #5)
> Low impact?
> 
> According to the Classification of Security Issues documented here:
>  https://access.redhat.com/security/updates/classification/
> 
> This is an Important impact bug.
> 
> "This rating is given to flaws that can easily compromise the confidentiality,
> integrity, or availability of resources. These are the types of vulnerabilities 
> that allow local users to gain privileges..

Low / moderate impact due the fact:
1) the attacker needs to be locally proximate,
2) successful exploitation of this would require the victim
   not to log out themselves via normal logout process but
   rather rely on screensaver / switch user screen to perform
   the log out for them automatically (which is pretty unlikely
   scenario, but possible).

Though we may revisit the classification of the severity of this
issue. Just let us know, why do you think this should be of
higher security impact.

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Comment 7 Jan Lieskovsky 2011-04-19 13:39:40 EDT
CVE Request:
[3] http://www.openwall.com/lists/oss-security/2011/04/19/4
Comment 8 Need Real Name 2011-04-19 17:14:25 EDT
Hm... Fedora is by default exploitable in the environment this feature is designed for, i.e. a multi-user environment.

(In reply to comment #6)
> Low / moderate impact due the fact:
> 1) the attacker needs to be locally proximate,

To quote "Important impact":
 "These are the types of vulnerabilities that allow local users to gain privileges,"

To take an extreme example: to gain privileges you poison the user's bin directory/bash startup scripts/gnome-session programs, etc.

But more important are "flaws that can easily compromise the confidentiality, integrity, or availability of resources" (as mentioned before).

> 2) successful exploitation of this would require the victim
>    not to log out themselves via normal logout process but
>    rather rely on screensaver / switch user screen to perform
>    the log out for them automatically (which is pretty unlikely
>    scenario, but possible).

This is not unlikely? Switch user is designed for this scenario.!

> Though we may revisit the classification of the severity of this
> issue. Just let us know, why do you think this should be of
> higher security impact.

Ok. If you want I can post to fedora-devel?
Comment 9 Jan Lieskovsky 2011-04-20 11:39:08 EDT
(In reply to comment #8)
> > Though we may revisit the classification of the severity of this
> > issue. Just let us know, why do you think this should be of
> > higher security impact.
> 
> Ok. If you want I can post to fedora-devel?

Please use the email address of Red Hat Security Response Team,
secalert@redhat.com for this purpose.

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Comment 10 Jan Lieskovsky 2011-04-22 05:55:08 EDT
The CVE identifier of CVE-2011-1596 has been assigned to this issue.
Comment 11 Need Real Name 2011-04-25 10:58:04 EDT
Note: although gnome-screensaver crashes, I cannot reproduce the "screen left unlocked" part.

I can reliably crash gnome-screensaver as follows:

1. user1: from top-right username dropdown, choose "lock screen"
2. user1: choose "switch user"
3. login as user2
4. user2: from top-right username dropdown, choose "lock screen"
5. user2: choose "switch user"
6. login as user2
7. user2: notice abrt icon in hidden status bar, and notification that gnome-screensaver has crashed.

trace sent to JL.
Comment 12 Huzaifa S. Sidhpurwala 2011-04-26 04:35:25 EDT
> trace sent to JL.

JL?

Can you enclose the backtrace either on this bug or the upstream bug please?
Comment 13 Jan Lieskovsky 2011-04-26 05:34:41 EDT
Created attachment 494843 [details]
Backtrace provided by the reporter
Comment 14 Jan Lieskovsky 2011-04-26 05:35:32 EDT
(In reply to comment #12)
> > trace sent to JL.
> 
> JL?

Me was meant under abbreviation of JL.

> 
> Can you enclose the backtrace either on this bug or the upstream bug please?

Attached in previous comment.
Comment 15 Jan Lieskovsky 2011-04-27 02:22:09 EDT
Hello,

  thank you for the detailed scenario below.

(In reply to comment #11)
> Note: although gnome-screensaver crashes, I cannot reproduce the "screen left
> unlocked" part.
> 
> I can reliably crash gnome-screensaver as follows:
> 
> 1. user1: from top-right username dropdown, choose "lock screen"
> 2. user1: choose "switch user"
> 3. login as user2
> 4. user2: from top-right username dropdown, choose "lock screen"
> 5. user2: choose "switch user"
> 6. login as user2
> 7. user2: notice abrt icon in hidden status bar, and notification that
> gnome-screensaver has crashed.
> 
> trace sent to JL.

How "then use ctrl+alt+fN to switch back to the original user." from
https://bugzilla.redhat.com/show_bug.cgi?id=697199#c1 fits into this
new scenario? (into which step)

So the original issue description:
"If I switch users the original user's screen is not locked."
was intended to say:
..
6. login as user2
7. user2: notice abrt icon in hidden status bar, and notification that
   gnome-screensaver has crashed.

IOW / in short version, there is no 'user's screen is not locked'
symptome anymore (was it present originally?) and the 'only' impact
is screensaver crash?

Thank you, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Comment 16 Huzaifa S. Sidhpurwala 2011-04-27 02:27:21 EDT
Hi,
From the crash report attached on this bug, it seems like the crash is only in gnome-screensaver-dialog and does not cause the daemon to crash.

Are you still able to reproduce this issue ?
Comment 17 Need Real Name 2011-04-27 02:57:27 EDT
I can no longer reproduce the bug as originally reported.

I suspect two things:
1. A system package was updated while I was logged in that caused gnome-screensaver to fail to lock
or:
2. gnome screensaver recovers more gracefully than it did

So if you want you can close this bug since this bug is specific to the security issue, and I can reopen it later if it happens again (but g-s still crashes for me).
Comment 18 Huzaifa S. Sidhpurwala 2011-04-27 03:04:37 EDT
(In reply to comment #17)

> So if you want you can close this bug since this bug is specific to the
> security issue, and I can reopen it later if it happens again (but g-s still
> crashes for me).

Regarding the crash, can you please try the latest version of gnome-screensaver from the gnome git, the following patch should resolve your crash.


commit 338b86c4f0c2cdc4241dbf5cda913f0184afc105
Author: Huzaifa Sidhpurwala <huzaifas@redhat.com>
Date:   Tue Apr 26 13:15:56 2011 -0400

    dialog: Fix crash in user switcher code
    
    The user switch button currently causes the lock dialog to crash
    because of an inverted conditional in the error checking code.
    
    This commit addresses the crash by performing the proper check
    in the conditional.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=648234
Comment 19 Need Real Name 2011-04-27 04:38:21 EDT
Sure, can you push the change to updates-testing for F15?
Comment 20 Huzaifa S. Sidhpurwala 2011-04-27 04:42:07 EDT
I can actually do a quick scratch build for you, if you want
Comment 21 Need Real Name 2011-04-27 05:21:39 EDT
That would be great.
Comment 22 Huzaifa S. Sidhpurwala 2011-04-27 05:24:38 EDT
Scratch build here:
http://koji.fedoraproject.org/koji/taskinfo?taskID=3029265

Please let me know if this helps.
Comment 23 Need Real Name 2011-04-28 02:50:59 EDT
WFM - thanks!
Comment 24 Huzaifa S. Sidhpurwala 2011-05-02 05:40:32 EDT
Further investigation has revealed the problem described in this
bug report is just a crash in the gnome-screensaver-dialog, and
does not cause the screensaver itself to be killed.

Red Hat does not consider this bug to be a security issue.
Comment 25 Need Real Name 2011-06-02 12:10:32 EDT
I've just had this happen again - twice.

Using the method in comment #1.
Comment 26 Need Real Name 2011-07-28 13:34:46 EDT
Reopening.

When gnome-shell for user 2 crashes (bug 725187), you can often but not always simply ctrl+fN to get to the user 1's screen.

This surely cannot happen if gnome-screensaver is checking whether the screensaver was successfully activated before switching users.


Why this bug is important

This bug severely limits the effectiveness of a user to safeguard their data.
They reasonably expect that their workstation is locked when they switch users. It isn't always.
Comment 27 Need Real Name 2011-08-02 13:55:17 EDT
This bug is less reproducable now, but I still see it four to five times per day.
Comment 28 Paul Howarth 2011-08-11 03:54:24 EDT
I've also seen gnome-screensaver crash reports and been able to switch users without passwords (on F15). Next time it happens I'll see if I can get a backtrace.
Comment 29 Need Real Name 2011-08-18 12:36:14 EDT
Although I've been waving a big red security flag around for four months now, nobody seems to actually care.

@Red Hat: there is zero point having SELinux if we fail at the most basic level to prevent a screen lock from working.

Bug 725187 has strack traces if you want them.
Comment 30 tomislav 2012-01-06 14:11:05 EST
This bug is also reproducable in Fedora 16 (x86)

Note You need to log in before you can comment on or make changes to this bug.