touch-packages team mailing list archive

Thread
Date

[Bug 1366790] Re: Fix for CVE-2014-1949 (GTK 3.10.x)

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Margarita Manterola <marga@xxxxxxxxxx>
Date: Thu, 15 Jan 2015 10:32:26 -0000
Reply-to: Bug 1366790 <1366790@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug is still affecting Trusty.  Not only it affects cinnamon-
screensaver, but it also affects gnome-screensaver.  Anyone running
either of these two screensavers will suffer their session getting
hijacked by someone pressing the menu key before the password box comes
up.

The patch is simple enough, it has been applied upstream and any further
versions of gtk will not be affected.

I've built the package with the patch applied and tested that it
correctly makes both screensavers behave, plus it gets rid of the
infinite-menu problem (the original problem that the commit says it's
fixing).

I'm attaching the debdiff with the patch.  It would be great if this was
uploaded to trusty.

** Patch added: "Debdiff applying the patch"
   https://bugs.launchpad.net/ubuntu/trusty/+source/gtk+3.0/+bug/1366790/+attachment/4299068/+files/gtk3-menukey.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to gtk+3.0 in Ubuntu.
https://bugs.launchpad.net/bugs/1366790

Title:
  Fix for CVE-2014-1949 (GTK 3.10.x)

Status in gtk+3.0 package in Ubuntu:
  Fix Released
Status in gtk+3.0 source package in Trusty:
  Confirmed
Status in gtk+3.0 source package in Utopic:
  Fix Released

Bug description:
  [Impact]
  Users running gnome-screensaver or cinnamon-screensaver may get their lock screen bypassed by users pressing the menu key before the password prompt turns up.

  [Testcase]
  Start GNOME or any other desktop running gnome-screensaver.  Open a terminal. Lock the screen.  Before pressing any other key, press the menu key on the keyboard.

  Results:
   * Without this patch: the menu comes up and after that the terminal, being the window that had focus before the lock, receives all keyboard input.  It's very hard to get the input to go to the password field.
   * With this patch: the password prompt comes up and has focus. Any keys pressed go to the password field.

  [Regression potential]
  The patch removes one function from gtk-window (popup-menu) that was only present for a short time.  It's already been removed in the gtk version present in Utopic. It's very unlikely that any other issues will come up because of this.

  [More info]
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759145
  https://bugzilla.redhat.com/show_bug.cgi?id=1064695
  https://mail.gnome.org/archives/commits-list/2014-January/msg03294.html
  https://github.com/linuxmint/cinnamon-screensaver/issues/44

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gtk+3.0/+bug/1366790/+subscriptions