Bug#759145: Followup: CVE-2014-1949: cinnamon-screensaver can be bypassed by pressing Menu key

Michael Webster miketwebster at gmail.com
Sun Aug 24 19:45:45 UTC 2014 

Package: libgtk-3-0
Version: 3.10.8~4
Severity: important
Tags: upstream

Just a followup to the referenced bug, at https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=738828

This appears to be the commit that fixes the issue:
https://git.gnome.org/browse/gtk+/commit/?id=1691bb741d50c90ee938f0b73fe81b0ca9bfd6d4

Testing locally confirms.

An easier way to manifest this issue is to open a gtk3 app (Such as gnome-
terminal), activate the physical menu key (NOT your DE's 'menu' key) - the one
traditionally to the right of the space bar, and usually displaying a small
context menu picture on it.  Once the gnome-terminal context menu pops up, keep
pressing the menu key.  This will spawn endless GtkWindow 'fallback' popup
menus - more noticeable if you move the pointer while doing this.  This issue
was originally reported here:
https://github.com/linuxmint/Cinnamon/issues/3443.

An effective patch for cinnamon-screensaver (to address the security issue) is
here: https://github.com/mtwebster/cinnamon-
screensaver/commit/da7af55f1fa966c52e15cc288d4f8928eca8cc9f which will prevent
the GtkWindow popup_menu from ever getting called.




-- System Information:
Debian Release: jessie/sid
  APT prefers trusty-updates
  APT policy: (500, 'trusty-updates'), (500, 'trusty-security'), (500, 'trusty')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.13.0-24-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libgtk-3-0 depends on:
ii  libatk-bridge2.0-0   2.10.2-2ubuntu1
ii  libatk1.0-0          2.10.0-2ubuntu2
ii  libc6                2.19-0ubuntu6.1
ii  libcairo-gobject2    1.13.0~20140204-0ubuntu1
ii  libcairo2            1.13.0~20140204-0ubuntu1
ii  libcolord1           1.0.6-1
ii  libcups2             1.7.2-0ubuntu1.1
ii  libfontconfig1       2.11.0-0ubuntu4.1
ii  libgdk-pixbuf2.0-0   2.30.7-0ubuntu1
ii  libglib2.0-0         2.40.0-2
ii  libgtk-3-common      3.10.8~4
ii  libpango-1.0-0       1.36.3-1ubuntu1
ii  libpangocairo-1.0-0  1.36.3-1ubuntu1
ii  libpangoft2-1.0-0    1.36.3-1ubuntu1
ii  libwayland-client0   1.4.0-1ubuntu1
ii  libwayland-cursor0   1.4.0-1ubuntu1
ii  libx11-6             2:1.6.2-1ubuntu2
ii  libxcomposite1       1:0.4.4-1
ii  libxcursor1          1:1.1.14-1
ii  libxdamage1          1:1.1.4-1ubuntu1
ii  libxext6             2:1.3.2-1
ii  libxfixes3           1:5.0.1-1ubuntu1
ii  libxi6               2:1.7.1.901-1ubuntu1
ii  libxinerama1         2:1.1.3-1
ii  libxkbcommon0        0.4.1-0ubuntu1
ii  libxrandr2           2:1.4.2-1
ii  multiarch-support    2.19-0ubuntu6.1
ii  shared-mime-info     1.2-0ubuntu3

Versions of packages libgtk-3-0 recommends:
ii  hicolor-icon-theme  0.13-1
ii  libgtk-3-bin        3.10.8~4

Versions of packages libgtk-3-0 suggests:
ii  gvfs             1.20.1-1ubuntu1
ii  librsvg2-common  2.40.2-1

-- no debconf information

More information about the pkg-gnome-maintainers mailing list