Screensaver lock by-pass via the virtual keyboard

 * Cinnamon version:  Cinnamon 4.6.7
 * Distribution: Fedora 32
 * Graphics hardware *and* driver used: 03:00.0 VGA compatible controller: Advanced Micro Devices, Inc. [AMD/ATI] Ellesmere [Radeon RX 470/480/570/570X/580/580X/590] (rev ef) using amdgpu
 * 32 or 64 bit: 64bit

Issue
Screensaver lock by-pass. It is possible to crash the screensaver and unlock the desktop via the virtual keyboard.

Steps to reproduce
Lock the system
Click on the virtual keyboard
Type at the real keyboard while typing at the virtual keyboard, both at the same time, as many keys as possible.

Expected behaviour
No crash.

Other information
A few weeks ago, my kids wanted to hack my linux desktop, so they typed and clicked everywhere, while I was standing behind them looking at them play... when the screensaver core dumped and they actually hacked their way in! wow, those little hackers... 🐈

I thought it was a unique incident, but they managed to do it a second time. So I'd consider this issue... reproducible... by kids 😄

I tried to recreate the crash on my own with no success, maybe because it required more than 4 little hands typing and using the mouse on the virtual keyboard.

Maybe not the best bug report, but I've seen the screenlock crash twice already with my own eyes, so its pretty real.

One last thing, after the desktop is unlocked, I can't re-lock it again, the screensaver process is pretty dead and requires me to open a shell and run 'cinnamon-screensaver' manually to get it working.

[jbergknoff]

My kids came upon a similar cinnamon-screensaver segfault! I've emailed details of how to reproduce the problem to root@linuxmint.com.

[clefebvre]

Quick update on this.

• It seems to affect all distros and to be a regression from https://gitlab.freedesktop.org/xorg/xserver/-/commit/87c64fc5b0db9f62f4e361444f4b60501ebf67b9
• This commit came in as a fix for CVE-2020-25712

https://security-tracker.debian.org/tracker/CVE-2020-25712
https://ubuntu.com/security/CVE-2020-25712

We need to understand the xserver code a little bit more and check some of the later commits upstream to understand whether this is something to be fixed in xorg or caribou, and if it's to be fixed in xorg whether it's already fixed in their master version or not.

There's an update in Ubuntu 20.04 (Mint 20.x) which backports xorg 1.20.9 towards focal... that backport actually messed up and missed the CVE fix (which is present in the groovy version), so upgrading to this temporarily fixes this issue. When Ubuntu realize this mistake they'll backport the CVE fix again and this will break again.

Afaik this affects all distributions. On our side we could verify it affects Mint 20x and LMDE 4, and we're pretty sure it affects 19x and 18x as well.

[clefebvre]

On-screen keyboard support was added to the screensaver in Cinnamon 4.2.

In Linux Mint it means the following releases are impacted:

[clefebvre]

We have two different issues:

• In all versions of Cinnamon, the on-screen keyboard (launched from the menu) runs within the Cinnamon process and uses libcaribou. Pressing ē crashes Cinnamon.
• In versions of Cinnamon 4.2 and higher, there's a libcaribou OSK in the screensaver. Pressing ē there crashes the screensaver.

[clefebvre]

Cinnamon crash reproduced in Mint 18.3.
Screensaver crash reproduced in Mint 19.3.
Screensaver crash reproduced in Mint 20 with xserver-common 1.20.8-2ubuntu2.2~18.04.4 (Ubuntu's 1.29 mistakenly forgot to include the CVE fix and overrid it, so as a side effect 1.29 fixes this issue in Mint 20.x right now but that's not an acceptable solution).
Screensaver crash reproduced in LMDE 4.

Is there a way to remove/uninstall the virtual keyboard?

[jbergknoff]

Oddly enough: since yesterday, we haven't been able to reproduce the crash here. Pressing ē on the on-screen keyboard, or changing the keyboard input language and pressing anything, both just result in characters being added to the password input. The only package change since my comment earlier in the issue was to upgrade NVIDIA drivers from 450.80.02 to 450.102.04. That did include an upgrade of xserver-xorg-video-nvidia-450 which sounds like it could be related, but I am skeptical. Pretty strange.

[clefebvre]

@robo2bobo no. We'll most likely patch libcaribou here. This is a high priority bug for us, expect a fix ASAP.

[clefebvre]

@leigh123linux @eli-schwartz @willysr @Fantu this is a critical bug.

TLDR: Since the Xorg update to fix CVE-2020-25712, anybody can crash the screen lock and enter the session without a password. This affects all distributions running Cinnamon 4.2+. It also affects any software using libcaribou.

We're testing the following fix at the moment: https://gitlab.com/linuxmint/pins/mint/caribou/-/commit/c4bc79ddace3da812c529e631da5c04afde31705.

[eli-schwartz]

What's the status of caribou upstream? Is gnome still maintaining it? Are they interested in help, or in merging patches needed by cinnamon? According to https://archlinux.org/packages/extra/x86_64/caribou/ the only current user in Arch is cinnamon.

[Fantu]

As it affect all software using caribou is good to report in it ASAP (if not already done)
Edit: seems don't reported for now, or I'm wrong? https://gitlab.gnome.org/GNOME/caribou/-/issues
from apt-cache rdepend caribou is dep. of by gnome-core, gir1.2-caribou-1.0 is used by cinnamon, rdepend on libcaribou-dev and libcaribou0 return nothing so seems pratically used only by cinnamon (I don't know if there are other software out of debian repository that use it).

[clefebvre]

We'll provide a merge request. This still needs patching in all distros though. Anyone wants to volunteer to create a CVE?

[clefebvre]

@robo2bobo @jbergknoff here are patched packages for caribou:

patched_packages.zip

They should take care of the issue. We're hoping to have them tested tomorrow and pushed to repositories.

[clefebvre]

Sorry these packages are no good, they don't contain our changes for some reason. I suspect the build isn't actually recompiling the vala code... pff...