Fix for CVE-2014-1949 (GTK 3.10.x)

Bug #1366790 reported by Michael Webster on 2014-09-08
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Fix Released
gtk+3.0 (Debian)
Fix Released
gtk+3.0 (Ubuntu)

Bug Description

Users running gnome-screensaver or cinnamon-screensaver may get their lock screen bypassed by users pressing the menu key before the password prompt turns up.

Start GNOME or any other desktop running gnome-screensaver. Open a terminal. Lock the screen. Before pressing any other key, press the menu key on the keyboard.

 * Without this patch: the menu comes up and after that the terminal, being the window that had focus before the lock, receives all keyboard input. It's very hard to get the input to go to the password field.
 * With this patch: the password prompt comes up and has focus. Any keys pressed go to the password field.

[Regression potential]
The patch removes one function from gtk-window (popup-menu) that was only present for a short time. It's already been removed in the gtk version present in Utopic. It's very unlikely that any other issues will come up because of this.

[More info]

CVE References

information type: Private Security → Public Security
Marc Deslauriers (mdeslaur) wrote :

CVE-2014-1949 was assigned to cinnamon-screensaver.

The fix for this issue actually lies in gtk+3.0, in the following commit:

gtk+3.0 is already fixed in utopic, and we only have connamon-screensaver in utopic.

Hence, this issue doesn't have a security impact in trusty.

If you would like this fixed in the gtk+3.0 package in trusty, it will need to be done through the SRU process just like other bug fixes. Please see the following for the procedure:

Changed in gtk+3.0 (Ubuntu Utopic):
status: New → Fix Released
Changed in gtk+3.0 (Ubuntu Trusty):
status: New → Confirmed
information type: Public Security → Public
Michael Webster (miketwebster) wrote :

So, GTK3 apps that use context menus shouldn't be fixed to avoid a cascade of menus popping up if they use their menu key?

Did you read beyond "cinnamon?"

Should I open a new bug that doesn't say 'security issue'?

Michael Webster (miketwebster) wrote :

fwiw, it's been applied to upstream 3.10, thanks for your 'time,' I enjoyed it.

Margarita Manterola (marga-9) wrote :

This bug is still affecting Trusty. Not only it affects cinnamon-screensaver, but it also affects gnome-screensaver. Anyone running either of these two screensavers will suffer their session getting hijacked by someone pressing the menu key before the password box comes up.

The patch is simple enough, it has been applied upstream and any further versions of gtk will not be affected.

I've built the package with the patch applied and tested that it correctly makes both screensavers behave, plus it gets rid of the infinite-menu problem (the original problem that the commit says it's fixing).

I'm attaching the debdiff with the patch. It would be great if this was uploaded to trusty.

description: updated
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gtk+3.0 - 3.10.8-0ubuntu1.4

gtk+3.0 (3.10.8-0ubuntu1.4) trusty-security; urgency=medium

  * debian/patches/no_popup_menu_in_gtk_window.patch
    - Prevents the menu key from opening neverending menus and from taking
      the focus away from the screensaver (LP: #1366790)
 -- Margarita Manterola <email address hidden> Thu, 15 Jan 2015 10:47:19 +0100

Changed in gtk+3.0 (Ubuntu Trusty):
status: Confirmed → Fix Released
Changed in gtk+3.0 (Debian):
status: Unknown → Fix Released
Changed in gtk:
importance: Unknown → Medium
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.