| 2021-01-16 15:41:51 |
Joshua Peisach |
bug |
|
|
added bug |
| 2021-01-16 15:42:06 |
Joshua Peisach |
information type |
Private Security |
Public Security |
|
| 2021-01-16 16:54:46 |
Joshua Peisach |
description |
It was found in cinnamon-screensaver that pressing ē can crash the screensaver and Cinnamon DE itself.
This is a regression of solving CVE-2020-25712 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25712) in xserver (https://gitlab.freedesktop.org/xorg/xserver/-/commit/87c64fc5b0db9f62f4e361444f4b60501ebf67b9)
The following versions of Cinnamon are affected:
4.4 - Focal
4.6 - Groovy
4.8 - Hirsute (unstable)
Upstream caribou doesn't seem very maintained anymore. Hopefully patch will be put upstream so Hirsute can be solved. After that I will SRU Focal and Groovy.
TL;DR: Caribou segfaults on pressing ē which can cause a screensaver bypass to cinnamon-screensaver and possibly any screensaver application using gir1.2-caribou-1.0.
ProblemType: Bug
DistroRelease: Ubuntu 20.10
Package: gir1.2-caribou-1.0 0.4.21-7
ProcVersionSignature: Ubuntu 5.8.0-33.36-generic 5.8.17
Uname: Linux 5.8.0-33-generic x86_64
ApportVersion: 2.20.11-0ubuntu50.3
Architecture: amd64
CasperMD5CheckResult: skip
CurrentDesktop: ubuntu:GNOME
Date: Sat Jan 16 10:36:59 2021
InstallationDate: Installed on 2020-10-23 (85 days ago)
InstallationMedia: Ubuntu 20.10 "Groovy Gorilla" - Release amd64 (20201022)
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/bash
RebootRequiredPkgs:
linux-image-5.8.0-38-generic
linux-base
SourcePackage: caribou
UpgradeStatus: No upgrade log present (probably fresh install) |
It was found in cinnamon-screensaver that pressing ē can crash the screensaver and Cinnamon DE itself.
This is a regression of solving CVE-2020-25712 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25712) in xserver (https://gitlab.freedesktop.org/xorg/xserver/-/commit/87c64fc5b0db9f62f4e361444f4b60501ebf67b9)
Supposed patch: https://gitlab.gnome.org/GNOME/caribou/-/merge_requests/3
The following versions of Cinnamon are affected:
4.4 - Focal
4.6 - Groovy
4.8 - Hirsute (unstable)
Upstream caribou doesn't seem very maintained anymore. Hopefully patch will be put upstream so Hirsute can be solved. After that I will SRU Focal and Groovy.
TL;DR: Caribou segfaults on pressing ē which can cause a screensaver bypass to cinnamon-screensaver and possibly any screensaver application using gir1.2-caribou-1.0.
ProblemType: Bug
DistroRelease: Ubuntu 20.10
Package: gir1.2-caribou-1.0 0.4.21-7
ProcVersionSignature: Ubuntu 5.8.0-33.36-generic 5.8.17
Uname: Linux 5.8.0-33-generic x86_64
ApportVersion: 2.20.11-0ubuntu50.3
Architecture: amd64
CasperMD5CheckResult: skip
CurrentDesktop: ubuntu:GNOME
Date: Sat Jan 16 10:36:59 2021
InstallationDate: Installed on 2020-10-23 (85 days ago)
InstallationMedia: Ubuntu 20.10 "Groovy Gorilla" - Release amd64 (20201022)
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/bash
RebootRequiredPkgs:
linux-image-5.8.0-38-generic
linux-base
SourcePackage: caribou
UpgradeStatus: No upgrade log present (probably fresh install) |
|
| 2021-01-16 17:30:52 |
Joshua Peisach |
bug |
|
|
added subscriber Ubuntu Security Team |
| 2021-01-16 17:55:14 |
fossfreedom |
nominated for series |
|
Ubuntu Groovy |
|
| 2021-01-16 17:55:14 |
fossfreedom |
bug task added |
|
caribou (Ubuntu Groovy) |
|
| 2021-01-16 17:55:14 |
fossfreedom |
nominated for series |
|
Ubuntu Focal |
|
| 2021-01-16 17:55:14 |
fossfreedom |
bug task added |
|
caribou (Ubuntu Focal) |
|
| 2021-01-16 17:55:14 |
fossfreedom |
nominated for series |
|
Ubuntu Hirsute |
|
| 2021-01-16 17:55:14 |
fossfreedom |
bug task added |
|
caribou (Ubuntu Hirsute) |
|
| 2021-01-16 22:31:22 |
Joshua Peisach |
caribou (Ubuntu Focal): assignee |
|
Joshua Peisach (itzswirlz) |
|
| 2021-01-16 22:31:24 |
Joshua Peisach |
caribou (Ubuntu Groovy): assignee |
|
Joshua Peisach (itzswirlz) |
|
| 2021-01-19 17:51:03 |
Joshua Peisach |
caribou (Ubuntu Hirsute): status |
New |
In Progress |
|
| 2021-01-23 09:51:40 |
Fantu |
caribou (Ubuntu Hirsute): status |
In Progress |
Fix Released |
|
| 2021-01-23 10:26:20 |
Fantu |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
| 2021-01-23 10:43:46 |
Fantu |
attachment added |
|
patch for focal fix https://bugs.launchpad.net/ubuntu/+source/caribou/+bug/1912060/+attachment/5455950/+files/caribou_0.4.21-7_0.4.21-7ubuntu0.1.diff |
|
| 2021-01-23 10:47:26 |
Fantu |
tags |
amd64 apport-bug focal groovy hirsute regression |
amd64 apport-bug focal groovy hirsute patch regression |
|
| 2021-01-23 10:47:48 |
Launchpad Janitor |
caribou (Ubuntu Focal): status |
New |
Confirmed |
|
| 2021-01-23 10:47:48 |
Launchpad Janitor |
caribou (Ubuntu Groovy): status |
New |
Confirmed |
|
| 2021-01-23 16:41:55 |
Joshua Peisach |
caribou (Ubuntu Focal): status |
Confirmed |
In Progress |
|
| 2021-01-23 16:41:57 |
Joshua Peisach |
caribou (Ubuntu Groovy): status |
Confirmed |
In Progress |
|
| 2021-01-24 03:05:32 |
Joshua Peisach |
caribou (Ubuntu Focal): assignee |
Joshua Peisach (itzswirlz) |
|
|
| 2021-01-24 03:05:53 |
Joshua Peisach |
caribou (Ubuntu Focal): assignee |
|
Joshua Peisach (itzswirlz) |
|
| 2021-01-24 06:07:24 |
Mathew Hodson |
caribou (Ubuntu Focal): importance |
Undecided |
Medium |
|
| 2021-01-24 06:07:27 |
Mathew Hodson |
caribou (Ubuntu Groovy): importance |
Undecided |
Medium |
|
| 2021-01-24 06:07:29 |
Mathew Hodson |
caribou (Ubuntu Hirsute): importance |
Undecided |
Medium |
|
| 2021-01-24 06:14:54 |
Mathew Hodson |
tags |
amd64 apport-bug focal groovy hirsute patch regression |
amd64 apport-bug focal groovy hirsute patch regression-update |
|
| 2021-01-24 07:22:38 |
Mathew Hodson |
bug watch added |
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980061 |
|
| 2021-01-24 07:22:38 |
Mathew Hodson |
bug task added |
|
caribou (Debian) |
|
| 2021-01-25 11:52:38 |
Fantu |
description |
It was found in cinnamon-screensaver that pressing ē can crash the screensaver and Cinnamon DE itself.
This is a regression of solving CVE-2020-25712 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25712) in xserver (https://gitlab.freedesktop.org/xorg/xserver/-/commit/87c64fc5b0db9f62f4e361444f4b60501ebf67b9)
Supposed patch: https://gitlab.gnome.org/GNOME/caribou/-/merge_requests/3
The following versions of Cinnamon are affected:
4.4 - Focal
4.6 - Groovy
4.8 - Hirsute (unstable)
Upstream caribou doesn't seem very maintained anymore. Hopefully patch will be put upstream so Hirsute can be solved. After that I will SRU Focal and Groovy.
TL;DR: Caribou segfaults on pressing ē which can cause a screensaver bypass to cinnamon-screensaver and possibly any screensaver application using gir1.2-caribou-1.0.
ProblemType: Bug
DistroRelease: Ubuntu 20.10
Package: gir1.2-caribou-1.0 0.4.21-7
ProcVersionSignature: Ubuntu 5.8.0-33.36-generic 5.8.17
Uname: Linux 5.8.0-33-generic x86_64
ApportVersion: 2.20.11-0ubuntu50.3
Architecture: amd64
CasperMD5CheckResult: skip
CurrentDesktop: ubuntu:GNOME
Date: Sat Jan 16 10:36:59 2021
InstallationDate: Installed on 2020-10-23 (85 days ago)
InstallationMedia: Ubuntu 20.10 "Groovy Gorilla" - Release amd64 (20201022)
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/bash
RebootRequiredPkgs:
linux-image-5.8.0-38-generic
linux-base
SourcePackage: caribou
UpgradeStatus: No upgrade log present (probably fresh install) |
[Impact]
There is a regression after solving CVE-2020-25712 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25712) in xserver (https://gitlab.freedesktop.org/xorg/xserver/-/commit/87c64fc5b0db9f62f4e361444f4b60501ebf67b9) that make caribou crash pressing ē.
In cinnamon-screensaver (>=4.2 where integrated the virtual keyboard) crash of caribou cause also screensaver crash and make possible access without insert the correct password, this introduced a security issue.
[Test Case]
In cinnamon-screensaver (>=4.2) pressing ē (after long press on e) in virtual keyboard (button at the bottom of the screen in the center) make caribou (and the screensaver) crash and access without insert the correct password.
[Where problems could occur]
The following versions of ubuntu are affected by the security caused by caribou crash of this issue:
- Focal (cinnamon 4.4)
- Groovy (cinnamon 4.6)
- Hirsute (bug solved with 0.4.21-7.1)
The patch attached in https://bugs.launchpad.net/ubuntu/+source/caribou/+bug/1912060/comments/4 (for Focal) have the same changes of 0.4.21-7.1 (debian unstable, debian testing and Hirsute) and same patches are used also in some other distros that already applied the fix faster (as security issue) and 1 week or more went by without experiencing regressions at the moment.
The patch is already tested in Focal, can be used also in Groovy (only changing focal->groovy). |
|
| 2021-01-25 11:55:33 |
Fantu |
summary |
Segfault with gir1.2-caribou-1.0 keyboard device info regression |
[SRU] caribou: Segfault (as regression of xorg CVE-2020-25712 fix) cause security issue for cinnamon |
|
| 2021-01-25 12:02:50 |
Fantu |
attachment removed |
patch for focal fix https://bugs.launchpad.net/ubuntu/+source/caribou/+bug/1912060/+attachment/5455950/+files/caribou_0.4.21-7_0.4.21-7ubuntu0.1.diff |
|
|
| 2021-01-25 12:03:48 |
Fantu |
attachment added |
|
patch for focal https://bugs.launchpad.net/ubuntu/+source/caribou/+bug/1912060/+attachment/5456637/+files/caribou_0.4.21-7_0.4.21-7ubuntu0.1.diff |
|
| 2021-01-25 12:05:19 |
Fantu |
description |
[Impact]
There is a regression after solving CVE-2020-25712 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25712) in xserver (https://gitlab.freedesktop.org/xorg/xserver/-/commit/87c64fc5b0db9f62f4e361444f4b60501ebf67b9) that make caribou crash pressing ē.
In cinnamon-screensaver (>=4.2 where integrated the virtual keyboard) crash of caribou cause also screensaver crash and make possible access without insert the correct password, this introduced a security issue.
[Test Case]
In cinnamon-screensaver (>=4.2) pressing ē (after long press on e) in virtual keyboard (button at the bottom of the screen in the center) make caribou (and the screensaver) crash and access without insert the correct password.
[Where problems could occur]
The following versions of ubuntu are affected by the security caused by caribou crash of this issue:
- Focal (cinnamon 4.4)
- Groovy (cinnamon 4.6)
- Hirsute (bug solved with 0.4.21-7.1)
The patch attached in https://bugs.launchpad.net/ubuntu/+source/caribou/+bug/1912060/comments/4 (for Focal) have the same changes of 0.4.21-7.1 (debian unstable, debian testing and Hirsute) and same patches are used also in some other distros that already applied the fix faster (as security issue) and 1 week or more went by without experiencing regressions at the moment.
The patch is already tested in Focal, can be used also in Groovy (only changing focal->groovy). |
[Impact]
There is a regression after solving CVE-2020-25712 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25712) in xserver (https://gitlab.freedesktop.org/xorg/xserver/-/commit/87c64fc5b0db9f62f4e361444f4b60501ebf67b9) that make caribou crash pressing ē.
In cinnamon-screensaver (>=4.2 where integrated the virtual keyboard) crash of caribou cause also screensaver crash and make possible access without insert the correct password, this introduced a security issue.
[Test Case]
In cinnamon-screensaver (>=4.2) pressing ē (after long press on e) in virtual keyboard (button at the bottom of the screen in the center) make caribou (and the screensaver) crash and access without insert the correct password.
[Where problems could occur]
The following versions of ubuntu are affected by the security caused by caribou crash of this issue:
- Focal (cinnamon 4.4)
- Groovy (cinnamon 4.6)
- Hirsute (bug solved with 0.4.21-7.1)
The patch attached in #4 (for Focal) have the same changes of 0.4.21-7.1 (debian unstable, debian testing and Hirsute) and same patches are used also in some other distros that already applied the fix faster (as security issue) and 1 week or more went by without experiencing regressions at the moment.
The patch is already tested in Focal, can be used also in Groovy (only changing focal->groovy). |
|
| 2021-01-25 12:05:31 |
Fantu |
description |
[Impact]
There is a regression after solving CVE-2020-25712 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25712) in xserver (https://gitlab.freedesktop.org/xorg/xserver/-/commit/87c64fc5b0db9f62f4e361444f4b60501ebf67b9) that make caribou crash pressing ē.
In cinnamon-screensaver (>=4.2 where integrated the virtual keyboard) crash of caribou cause also screensaver crash and make possible access without insert the correct password, this introduced a security issue.
[Test Case]
In cinnamon-screensaver (>=4.2) pressing ē (after long press on e) in virtual keyboard (button at the bottom of the screen in the center) make caribou (and the screensaver) crash and access without insert the correct password.
[Where problems could occur]
The following versions of ubuntu are affected by the security caused by caribou crash of this issue:
- Focal (cinnamon 4.4)
- Groovy (cinnamon 4.6)
- Hirsute (bug solved with 0.4.21-7.1)
The patch attached in #4 (for Focal) have the same changes of 0.4.21-7.1 (debian unstable, debian testing and Hirsute) and same patches are used also in some other distros that already applied the fix faster (as security issue) and 1 week or more went by without experiencing regressions at the moment.
The patch is already tested in Focal, can be used also in Groovy (only changing focal->groovy). |
[Impact]
There is a regression after solving CVE-2020-25712 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25712) in xserver (https://gitlab.freedesktop.org/xorg/xserver/-/commit/87c64fc5b0db9f62f4e361444f4b60501ebf67b9) that make caribou crash pressing ē.
In cinnamon-screensaver (>=4.2 where integrated the virtual keyboard) crash of caribou cause also screensaver crash and make possible access without insert the correct password, this introduced a security issue.
[Test Case]
In cinnamon-screensaver (>=4.2) pressing ē (after long press on e) in virtual keyboard (button at the bottom of the screen in the center) make caribou (and the screensaver) crash and access without insert the correct password.
[Where problems could occur]
The following versions of ubuntu are affected by the security caused by caribou crash of this issue:
- Focal (cinnamon 4.4)
- Groovy (cinnamon 4.6)
- Hirsute (bug solved with 0.4.21-7.1)
The patch attached in #10 (for Focal) have the same changes of 0.4.21-7.1 (debian unstable, debian testing and Hirsute) and same patches are used also in some other distros that already applied the fix faster (as security issue) and 1 week or more went by without experiencing regressions at the moment.
The patch is already tested in Focal, can be used also in Groovy (only changing focal->groovy). |
|
| 2021-01-25 12:05:45 |
Fantu |
description |
[Impact]
There is a regression after solving CVE-2020-25712 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25712) in xserver (https://gitlab.freedesktop.org/xorg/xserver/-/commit/87c64fc5b0db9f62f4e361444f4b60501ebf67b9) that make caribou crash pressing ē.
In cinnamon-screensaver (>=4.2 where integrated the virtual keyboard) crash of caribou cause also screensaver crash and make possible access without insert the correct password, this introduced a security issue.
[Test Case]
In cinnamon-screensaver (>=4.2) pressing ē (after long press on e) in virtual keyboard (button at the bottom of the screen in the center) make caribou (and the screensaver) crash and access without insert the correct password.
[Where problems could occur]
The following versions of ubuntu are affected by the security caused by caribou crash of this issue:
- Focal (cinnamon 4.4)
- Groovy (cinnamon 4.6)
- Hirsute (bug solved with 0.4.21-7.1)
The patch attached in #10 (for Focal) have the same changes of 0.4.21-7.1 (debian unstable, debian testing and Hirsute) and same patches are used also in some other distros that already applied the fix faster (as security issue) and 1 week or more went by without experiencing regressions at the moment.
The patch is already tested in Focal, can be used also in Groovy (only changing focal->groovy). |
[Impact]
There is a regression after solving CVE-2020-25712 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25712) in xserver (https://gitlab.freedesktop.org/xorg/xserver/-/commit/87c64fc5b0db9f62f4e361444f4b60501ebf67b9) that make caribou crash pressing ē.
In cinnamon-screensaver (>=4.2 where integrated the virtual keyboard) crash of caribou cause also screensaver crash and make possible access without insert the correct password, this introduced a security issue.
[Test Case]
In cinnamon-screensaver (>=4.2) pressing ē (after long press on e) in virtual keyboard (button at the bottom of the screen in the center) make caribou (and the screensaver) crash and access without insert the correct password.
[Where problems could occur]
The following versions of ubuntu are affected by the security caused by caribou crash of this issue:
- Focal (cinnamon 4.4)
- Groovy (cinnamon 4.6)
- Hirsute (bug solved with 0.4.21-7.1)
The patch attached in comment #10 (for Focal) have the same changes of 0.4.21-7.1 (debian unstable, debian testing and Hirsute) and same patches are used also in some other distros that already applied the fix faster (as security issue) and 1 week or more went by without experiencing regressions at the moment.
The patch is already tested in Focal, can be used also in Groovy (only changing focal->groovy). |
|
| 2021-01-27 18:02:07 |
Fantu |
bug |
|
|
added subscriber Fantu |
| 2021-01-27 21:18:00 |
Fantu |
caribou (Ubuntu Hirsute): assignee |
|
Fantu (fantonifabio) |
|
| 2021-01-28 13:24:53 |
Joshua Peisach |
attachment added |
|
Groovy Patch https://bugs.launchpad.net/ubuntu/+source/caribou/+bug/1912060/+attachment/5457755/+files/caribou_0.4.21-7ubuntu0.1.debdiff |
|
| 2021-01-28 14:55:38 |
Joshua Peisach |
attachment added |
|
Fixed and Smaller Groovy Patch https://bugs.launchpad.net/ubuntu/+source/caribou/+bug/1912060/+attachment/5457775/+files/caribou_0.4.21-7ubuntu0.1.debdiff |
|
| 2021-02-05 14:59:34 |
Joshua Peisach |
attachment removed |
Groovy Patch https://bugs.launchpad.net/ubuntu/+source/caribou/+bug/1912060/+attachment/5457755/+files/caribou_0.4.21-7ubuntu0.1.debdiff |
|
|
| 2021-02-05 18:07:26 |
Joshua Peisach |
attachment added |
|
Final groovy patch https://bugs.launchpad.net/ubuntu/+source/caribou/+bug/1912060/+attachment/5460621/+files/caribou_0.4.21-7ubuntu0.1.debdiff |
|
| 2021-03-01 09:09:16 |
Bug Watch Updater |
caribou (Debian): status |
Unknown |
Fix Released |
|
| 2021-03-22 22:22:52 |
Joshua Peisach |
attachment added |
|
caribou_0.4.21-7ubuntu0.1.debdiff https://bugs.launchpad.net/ubuntu/+source/caribou/+bug/1912060/+attachment/5479354/+files/caribou_0.4.21-7ubuntu0.1.debdiff |
|
| 2021-03-22 23:27:59 |
Alex Murray |
bug |
|
|
added subscriber Ubuntu Security Sponsors Team |
| 2021-04-01 08:45:41 |
Sebastien Bacher |
removed subscriber Ubuntu Sponsors Team |
|
|
|
| 2021-04-08 01:43:49 |
Steve Beattie |
caribou (Ubuntu Focal): assignee |
Joshua Peisach (itzswirlz) |
Steve Beattie (sbeattie) |
|
| 2021-04-08 01:43:56 |
Steve Beattie |
caribou (Ubuntu Groovy): assignee |
Joshua Peisach (itzswirlz) |
Steve Beattie (sbeattie) |
|
| 2021-05-17 15:19:13 |
Joshua Peisach |
attachment added |
|
Screenshot from 2021-05-17 11-02-37.png https://bugs.launchpad.net/ubuntu/+source/caribou/+bug/1912060/+attachment/5498256/+files/Screenshot%20from%202021-05-17%2011-02-37.png |
|
| 2021-05-17 15:19:28 |
Joshua Peisach |
tags |
amd64 apport-bug focal groovy hirsute patch regression-update |
amd64 apport-bug focal groovy hirsute patch regression-update verification-done-groovy |
|
| 2021-05-17 16:32:24 |
Joshua Peisach |
tags |
amd64 apport-bug focal groovy hirsute patch regression-update verification-done-groovy |
amd64 apport-bug focal groovy hirsute patch regression-update verification-done verification-done-focal verification-done-groovy |
|
| 2021-05-17 20:14:17 |
Launchpad Janitor |
caribou (Ubuntu Focal): status |
In Progress |
Fix Released |
|
| 2021-05-17 20:46:52 |
Launchpad Janitor |
caribou (Ubuntu Groovy): status |
In Progress |
Fix Released |
|
| 2022-05-29 16:39:45 |
Joshua Peisach |
cve linked |
|
2021-3567 |
|
