Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Disconnecting a video output can cause XScreenSaver to crash (QSB-068, CVE-2021-34557) #6595

Closed
mcku opened this issue May 11, 2021 · 37 comments
Labels
C: desktop-linux diagnosed Technical diagnosis has been performed (see issue comments). P: blocker Priority: blocker. Prevents release or would have prevented release if known prior to release. security This issue pertains to the security of Qubes OS. T: bug Type: bug report. A problem or defect resulting in unintended behavior in something that exists.

Comments

@mcku
Copy link

mcku commented May 11, 2021

Qubes OS version

4.0.4

Affected component(s) or functionality

Screensaver, locking with Ctrl-Alt-L

Brief summary

Nothing happens when trying to lock the screen. No logs. Screensaver IS set to autostart already. And it works for some time. But after some time, (not sure about the exact cause), inactivity timer does not lock the screen, nor the screen lock shortcut works. When I open the Xfce Screensaver panel, it complains about the screensaver daemon being not running. Even after starting the daemon, same thing happens after some time.
As there is no log at all, I cannot trace the cause.

How Reproducible

This started a few days ago, probably after applying a UEFI firmware update. The bug is always present since then, I guess.

To Reproduce

Steps to reproduce the behavior:

  1. boot the system
  2. log in. do some work.
  3. the computer won't lock when you expect it to lock its screen

Expected behavior

The lock should work.

Actual behavior

Lock is disabled

Screenshots

Additional context

It might be considered a security issue as well, I did not notice that the screen was not locked but had the impression that it was.

Solutions you've tried

starting the xscreensaver using the respective xfce settings panel

Relevant documentation you've consulted

Found some basic info that suggests to restart the screensaver, to put it into autostart (which already appears in session and startup panel as a ticked item)

Related, non-duplicate issues

(could not find any)

@mcku mcku added P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. T: bug Type: bug report. A problem or defect resulting in unintended behavior in something that exists. labels May 11, 2021
@ghost
Copy link

ghost commented May 11, 2021

Try starting xscreensaver manually (kill the autostarted one if you have to), then put the log here when it crashes.

@mcku
Copy link
Author

mcku commented May 11, 2021

I think I can easily reproduce it now.
I don't want to paste it here as it might be a security concern.

@andrewdavidwong andrewdavidwong added C: desktop-linux needs diagnosis Requires technical diagnosis from developer. Replace with "diagnosed" or remove if otherwise closed. labels May 11, 2021
@andrewdavidwong andrewdavidwong added this to the Release 4.0 updates milestone May 11, 2021
@mcku
Copy link
Author

mcku commented May 11, 2021

The bug can be reproduced even when the screen is locked

@andrewdavidwong
Copy link
Member

It might be considered a security issue as well, I did not notice that the screen was not locked but had the impression that it was.

Perhaps, but it is somewhat suspicious that this has not been more widely reported, given how many other XScreenSaver issues we have and the overwhelming volume of discussion about it over the years. I suggest suspending judgment until we get more information.

I think I can easily reproduce it now.
I don't want to paste it here as it might be a security concern.

You can instead report it confidentiality to the Qubes Security Team, if you believe that would be more appropriate: https://www.qubes-os.org/security/
Please make sure to provide a link to this issue so that they know what you're referring to.

@andrewdavidwong
Copy link
Member

The bug can be reproduced even when the screen is locked

To be clear, you're saying that someone with physical access to a screen-locked Qubes installation can bypass the screen locker without the password? If so, I certainly agree that's a critical security bug.

@andrewdavidwong andrewdavidwong added P: critical Priority: critical. Between "major" and "blocker" in severity. security This issue pertains to the security of Qubes OS. and removed P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. labels May 11, 2021
@unman
Copy link
Member

unman commented May 11, 2021 via email

@mcku
Copy link
Author

mcku commented May 11, 2021

@unman Sorry that the original question might be vague. At that time I did not have an idea about the cause.

The screensaver runs.. but then it crashes. I have captured and sent the log to the security team email already.

@marmarek
Copy link
Member

marmarek commented May 11, 2021 via email

@mcku
Copy link
Author

mcku commented May 11, 2021

@marmarek sent again

@mcku
Copy link
Author

mcku commented May 14, 2021

I have tried the new xscreensaver package (version 6.00) and can confirm that this issue is not present anymore. Therefore closing this.

@mcku mcku closed this as completed May 14, 2021
@marmarek
Copy link
Member

Lets keep it open until package lands in current-testing repo.

@marmarek marmarek reopened this May 14, 2021
@DemiMarie DemiMarie added P: blocker Priority: blocker. Prevents release or would have prevented release if known prior to release. and removed P: critical Priority: critical. Between "major" and "blocker" in severity. labels May 24, 2021
@mcku
Copy link
Author

mcku commented Jun 1, 2021

I have experienced the same behavior after upgrading to r4.1 (where xscreensaver version is 5.45)

@0spinboson
Copy link

I have experienced the same behavior after upgrading to r4.1 (where xscreensaver version is 5.45)

same. died after 2 weeks uptime or so

@unman
Copy link
Member

unman commented Jun 1, 2021 via email

@mcku
Copy link
Author

mcku commented Jun 2, 2021

Since a reasonable time has passed and a fix exists, I would disclose a little bit more details.

The issue is related to TB3 and probably to UEFI settings. In my case, plugging/unplugging a TB3 dock kills the screensaver. Yes, as simple as that. But probably not all hardware/firmware are affected (who knows).

The xscreensaver update to 6.0.0 apparently fixes the issue.

I will be away from my dock for some time. But i can speculate that i3wm etc would not suffer from this.

@DemiMarie
Copy link

@marmarek this needs to be backported to R4.0. It might also call for a QSB, but I am not sure.

@marmarek
Copy link
Member

marmarek commented Jun 3, 2021

Yes, I'm on it. The changes in 6.0 are massive and while many of them are improvements, they are too invasive for a security fix. R4.0 will receive fix for just this specific issue.

@andrewdavidwong andrewdavidwong removed the needs diagnosis Requires technical diagnosis from developer. Replace with "diagnosed" or remove if otherwise closed. label Jun 4, 2021
@andrewdavidwong andrewdavidwong added the diagnosed Technical diagnosis has been performed (see issue comments). label Jun 4, 2021
@andrewdavidwong
Copy link
Member

QSB has been issued: https://www.qubes-os.org/news/2021/06/04/qsb-068/

Lets keep it open until package lands in current-testing repo.

Guessing you meant security-testing. The package is there now, so I'm closing this as resolved.

Thanks again for the report, @mcku.

@StayPirate
Copy link

Has a CVE been requested for this bug? Since this is a confirmed security bug, it should get one.

@DemiMarie
Copy link

Has a CVE been requested for this bug? Since this is a confirmed security bug, it should get one.

I also plan to propose an X protocol extension for “exit if this connection dies”.

@DemiMarie DemiMarie reopened this Jun 10, 2021
@andrewdavidwong
Copy link
Member

andrewdavidwong commented Jun 10, 2021

Has a CVE been requested for this bug? Since this is a confirmed security bug, it should get one.

Not that I'm aware of. Please go ahead.

I also plan to propose an X protocol extension for “exit if this connection dies”.

Shouldn't that be filed as a separate enhancement issue? This security bug has already been fixed.

@DemiMarie
Copy link

I also plan to propose an X protocol extension for “exit if this connection dies”.

Shouldn't that be filed as a separate enhancement issue? This security bug has already been fixed.

Yes, it should. We can carry it as an out-of-tree patch if necessary.

@StayPirate
Copy link

Has a CVE been requested for this bug? Since this is a confirmed security bug, it should get one.

Not that I'm aware of. Please go ahead.

CVE-2021-34557. Please add it somewhere it can easily be associated with its patch (commit message, issue name, GH SA), other than in the changelog.

@andrewdavidwong andrewdavidwong changed the title Xscreensaver dies unexpectedly, cannot lock screen Xscreensaver dies unexpectedly, cannot lock screen (CVE-2021-34557) Jun 11, 2021
@andrewdavidwong
Copy link
Member

Has a CVE been requested for this bug? Since this is a confirmed security bug, it should get one.

Not that I'm aware of. Please go ahead.

CVE-2021-34557. Please add it somewhere it can easily be associated with its patch (commit message, issue name, GH SA), other than in the changelog.

Thanks! Just added it to this issue's title. Does that work?

@andrewdavidwong andrewdavidwong changed the title Xscreensaver dies unexpectedly, cannot lock screen (CVE-2021-34557) Disconnecting a video output can cause XScreenSaver to crash (QSB-068, CVE-2021-34557) Jun 11, 2021
@andrewdavidwong
Copy link
Member

Come to think of it, might as well also update the issue title to match the QSB title and reference the QSB number too.

@mcku
Copy link
Author

mcku commented Jun 20, 2021

Hi, there is a variant to this issue, which results in the same behavior with the patched xscreensaver 5.45.

Will send details to the security team.

@StayPirate
Copy link

StayPirate commented Jun 21, 2021

Since this seems to be a new embargoed bug, it should be discussed at the linux-distros ML, at least until it will get public. Can you open a new thread there sharing all the details?

@DemiMarie
Copy link

Since this seems to be a new embargoed bug, this should be discussed at the linux-distros ML, at least until it will get public. Can you open a new thread there sharing all the details?

distros@ would actually be better, as this bug is (presumably) not Linux-specific.

@mcku
Copy link
Author

mcku commented Jun 25, 2021

Until there is a solution, I decided to switch to a different screen lock.

The one I used before was i3lock. In order to switch, I have uninstalled xscreensaver completely. Then using xfconf I have assigned i3lock to be the default screen lock.

@DemiMarie
Copy link

The ultimate fix for these problems is to switch to Wayland. In the meantime, there are plans to terminate the X server if the screen locker dies.

@unman
Copy link
Member

unman commented Jun 26, 2021 via email

@DemiMarie
Copy link

The ultimate fix for these problems is to switch to Wayland. In the meantime, there are plans to terminate the X server if the screen locker dies.

I know this was mooted in the past, but is it actually in the plan? If so, where is that documented?

The plans are mostly in my head and in internal discussions; I have not documented them yet.

@DemiMarie
Copy link

@marmarek @HW42 was this ultimately fixed?

@DemiMarie
Copy link

@HW42 @marmarek Ping?

@mcku
Copy link
Author

mcku commented Jul 25, 2022

screen_locker_is_broken

i think what kde does is a great idea

@DemiMarie
Copy link

I agree. Another option would be to rely on a new X protocol extension (version 6.1 of XFixes) that causes screenlocker crashes to terminate the X server. I have implemented it and I believe there is a decent chance it will be accepted upstream.

@DemiMarie
Copy link

Closing as this particular bug is fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
C: desktop-linux diagnosed Technical diagnosis has been performed (see issue comments). P: blocker Priority: blocker. Prevents release or would have prevented release if known prior to release. security This issue pertains to the security of Qubes OS. T: bug Type: bug report. A problem or defect resulting in unintended behavior in something that exists.
Projects
None yet
Development

No branches or pull requests

7 participants