Bug 786310 (CVE-2012-1620) - CVE-2012-1620 slock-0.9 displays modal box after locking
Summary: CVE-2012-1620 slock-0.9 displays modal box after locking
Status: CLOSED ERRATA
Alias: CVE-2012-1620
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20120131,reported=2...
Keywords: Security
Depends On: 812086
Blocks: 786311
TreeView+ depends on / blocked
 
Reported: 2012-02-01 02:41 UTC by Kurt Seifried
Modified: 2013-01-13 13:12 UTC (History)
2 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2012-04-13 21:35:49 UTC


Attachments (Terms of Use)

Description Kurt Seifried 2012-02-01 02:41:52 UTC
https://bugs.gentoo.org/show_bug.cgi?id=401645

Jeroen Roovers 2012-01-31 17:23:28 UTC

1)  In a terminal, I run `slock & sleep 5; <some X app>'
2)  After about 10 seconds, I press some keys that slock would interpret as a
    password.
3a) It does not allow me to use <some X app> - all keyboard controls are
captured.
3b) Pointer device input is blocked - <some X app> cannot be controlled through
    the mouse.
4)  Entering the correct password unlocks the screen and makes <some X app>
    focused and in the foreground.

The only harm I see here is a possible unwanted disclosure of the information
that <some X app> happens to display at the time, but it's a vulnerability sure
enough.

Comment 1 Petr Šabata 2012-02-01 09:54:24 UTC
There's also another reproducer in Comment #4.

Neither works for me with slock-0.9-9.fc16.x86_64 or slock-0.9-10r.fc16.x86_64, though -- the apps stay hidden, slock is in the foreground and eats all the input.  This is correct behavior, afaic.

I cannot reproduce this on F16.

Comment 3 Kurt Seifried 2012-04-06 05:10:13 UTC
Added CVE as per http://www.openwall.com/lists/oss-security/2012/04/06/2

Comment 4 Kurt Seifried 2012-04-06 05:10:34 UTC
Longpoke 2012-02-01 03:41:11 UTC

You need to run the other program *concurrently*. I'll try and make the reproduction steps clearer:

1. run sleep <n>; <X-program>
2. lock the screen as fast as you can
3. make sure <n> seconds has passed, so that you know <X-program> has started
4. press some keys (any keys (doesn't have to be your actual password), don't hit enter)

Now the black screen will go away and you can see the current active desktop along with <X-program>.

Where <X-program> is the name of some X program that will create a window and leave it open when executed, i.e: pcmanfm.

Comment 5 Vincent Danen 2012-04-12 17:30:14 UTC
Created slock tracking bugs for this issue

Affects: fedora-all [bug 812086]

Comment 6 Petr Šabata 2012-04-13 09:32:51 UTC
(In reply to comment #4)
> Longpoke 2012-02-01 03:41:11 UTC
> 
> You need to run the other program *concurrently*. I'll try and make the
> reproduction steps clearer:
> 
> 1. run sleep <n>; <X-program>
> 2. lock the screen as fast as you can
> 3. make sure <n> seconds has passed, so that you know <X-program> has started
> 4. press some keys (any keys (doesn't have to be your actual password), don't
> hit enter)
> 
> Now the black screen will go away and you can see the current active desktop
> along with <X-program>.
> 
> Where <X-program> is the name of some X program that will create a window and
> leave it open when executed, i.e: pcmanfm.

I've tried all those reproducers around, including yours now. I've never hit the issue. Some say this only happens with compositing managers and just sometimes...?

(In reply to comment #5)
> Created slock tracking bugs for this issue
> 
> Affects: fedora-all [bug 812086]

As far as I know, this has been fixed in January and has been in f16 stable for some time now.  I cannot verify it because of the reason stated above.

Comment 7 Vincent Danen 2012-04-13 21:35:49 UTC
This was fixed in slock-0.9-10.fc16 on January 31.


Note You need to log in before you can comment on or make changes to this bug.