1962836 – (CVE-2021-3567) CVE-2021-3567 caribou: segfault on pressing ē since Xorg CVE-2020-25712 fix

Bug 1962836 (CVE-2021-3567) - CVE-2021-3567 caribou: segfault on pressing ē since Xorg CVE-2020-25712 fix

Summary: CVE-2021-3567 caribou: segfault on pressing ē since Xorg CVE-2020-25712 fix

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2021-3567
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1962837 1962838
Blocks:	1962839 1965598
TreeView+	depends on / blocked

Reported:	2021-05-20 16:36 UTC by Guilherme de Almeida Suckevicz
Modified:	2023-07-11 05:00 UTC (History)
CC List:	4 users (show)
Fixed In Version:	caribou 0.4.21
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Caribou due to a regression of CVE-2020-25712 fix. An attacker could use this flaw to bypass screen-locking applications that leverage Caribou as an input mechanism. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed:	2021-05-26 17:32:13 UTC
Embargoed:

Attachments	(Terms of Use)

Description Guilherme de Almeida Suckevicz 2021-05-20 16:36:53 UTC

It was discovered that the Caribou onscreen keyboard could be made to crash when given certain input values. An attacker could use this to bypass screen-locking applications that support using Caribou as an input mechanism.

Reference:
https://bugs.launchpad.net/ubuntu/+source/caribou/+bug/1912060

Comment 1 Guilherme de Almeida Suckevicz 2021-05-20 16:37:15 UTC

Created caribou tracking bugs for this issue:

Affects: epel-7 [bug 1962838]
Affects: fedora-all [bug 1962837]

Comment 2 Mauro Matteo Cascella 2021-05-26 14:08:36 UTC

Upstream merge request:
https://gitlab.gnome.org/GNOME/caribou/-/merge_requests/3

Upstream fix:
https://gitlab.gnome.org/GNOME/caribou/-/commit/d41c8e44b12222a290eaca16703406b113a630c6

Comment 3 Mauro Matteo Cascella 2021-05-26 14:13:05 UTC

Not strictly required from a security perspective, these are related issues/commits that have been ported upstream from Linux Mint:

https://gitlab.gnome.org/GNOME/caribou/-/issues/7
https://gitlab.gnome.org/GNOME/caribou/-/commit/76fbd11575f918fc898cb0f5defe07f67c11ec38

https://gitlab.gnome.org/GNOME/caribou/-/merge_requests/5
https://gitlab.gnome.org/GNOME/caribou/-/commit/ba8219ccc67d1d0964fb9ff25125c3be5fb80681

Comment 4 Mauro Matteo Cascella 2021-05-26 14:51:35 UTC

In reply to comment #0:
> It was discovered that the Caribou onscreen keyboard could be made to crash
> when given certain input values. An attacker could use this to bypass
> screen-locking applications that support using Caribou as an input mechanism.

Specifically, this was first reported in the on-screen keyboard which runs within the Cinnamon process and uses libcaribou. Pressing ē led to a Cinnamon crash and possible screensaver lock bypass.

Cinnamon issue:
https://github.com/linuxmint/cinnamon-screensaver/issues/354

Comment 5 Mauro Matteo Cascella 2021-05-26 14:58:14 UTC

It is worth noting that caribou is only shipped with Red Hat Enterprise Linux 7 (caribou-0.4.21) while cinnamon-screensaver is not shipped in Red Hat products.

Note You need to log in before you can comment on or make changes to this bug.