Package: cinnamon-screensaver Version: 3.6.1-2 Severity: grave Tags: security Justification: user security hole
Dear Maintainer, I found that cinnamon-screensaver does not start if a window menu is clicked. This can be a security problem as users unaware of this can leave their computer unlocked unwillingly if they clicked a menu before abandoning or trusting that their computer will be locked. To reproduce this, just click the "File" menu in a window. For example, gnome- terminal's "File" menu. Starting cinnamon-screensaver in a terminal and looking at its log, I see the following when the screensaver tries to start: .... couldn't grab keyboard couldn't grab keyboard couldn't grab keyboard couldn't grab keyboard couldn't grab keyboard couldn't grab keyboard couldn't grab keyboard couldn't grab keyboard couldn't grab mouse couldn't grab mouse couldn't grab mouse couldn't grab mouse Can't fade in screensaver, unable to grab the keyboard ..... If I unselect the "File" menu and wait for the screensaver to trigger again, it is then able to do it. I'm reporting this as a security issue but I understand having this exploited is somewhat unlikely: it would require the attacker to somehow make (or wait for) the victim to click a menu and ensuring that he leaves his computer unlocked and unattended without noticing the screen lock was not triggered. Thanks and best regards, Luís Picciochi Oliveira -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.15.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages cinnamon-screensaver depends on: ii cinnamon-desktop-data 3.6.2-2 ii gir1.2-accountsservice-1.0 0.6.45-1 ii gir1.2-cinnamondesktop-3.0 3.6.2-2 ii gir1.2-gkbd-3.0 3.26.0-3 ii gir1.2-glib-2.0 1.56.0-2 ii gir1.2-gtk-3.0 3.22.29-2 ii gir1.2-xapp-1.0 1.0.4-2 ii iso-flags-png-320x240 1.0.1-1 ii libc6 2.27-3 ii libcscreensaver0 3.6.1-2 ii libglib2.0-0 2.56.0-4 ii libgtk-3-0 3.22.29-2 ii python3 3.6.4-1 ii python3-gi 3.28.1-1 ii python3-gi-cairo 3.28.1-1 ii python3-setproctitle 1.1.10-1+b1 ii python3-xapp 1.0.1-1 ii python3-xlib 0.20-3 Versions of packages cinnamon-screensaver recommends: pn cinnamon-screensaver-x-plugin <none> Versions of packages cinnamon-screensaver suggests: pn cinnamon-screensaver-webkit-plugin <none> -- no debconf information