[Touch-packages] [Bug 1366790] Re: Fix for CVE-2014-1949 (GTK 3.10.x)
** Bug watch added: Debian Bug tracker #759145 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759145 ** Also affects: gtk+3.0 (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759145 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to gtk+3.0 in Ubuntu. https://bugs.launchpad.net/bugs/1366790 Title: Fix for CVE-2014-1949 (GTK 3.10.x) Status in gtk+3.0 package in Ubuntu: Fix Released Status in gtk+3.0 source package in Trusty: Fix Released Status in gtk+3.0 source package in Utopic: Fix Released Status in gtk+3.0 package in Debian: Unknown Bug description: [Impact] Users running gnome-screensaver or cinnamon-screensaver may get their lock screen bypassed by users pressing the menu key before the password prompt turns up. [Testcase] Start GNOME or any other desktop running gnome-screensaver. Open a terminal. Lock the screen. Before pressing any other key, press the menu key on the keyboard. Results: * Without this patch: the menu comes up and after that the terminal, being the window that had focus before the lock, receives all keyboard input. It's very hard to get the input to go to the password field. * With this patch: the password prompt comes up and has focus. Any keys pressed go to the password field. [Regression potential] The patch removes one function from gtk-window (popup-menu) that was only present for a short time. It's already been removed in the gtk version present in Utopic. It's very unlikely that any other issues will come up because of this. [More info] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759145 https://bugzilla.redhat.com/show_bug.cgi?id=1064695 https://mail.gnome.org/archives/commits-list/2014-January/msg03294.html https://github.com/linuxmint/cinnamon-screensaver/issues/44 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gtk+3.0/+bug/1366790/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1366790] Re: Fix for CVE-2014-1949 (GTK 3.10.x)
** Bug watch added: GNOME Bug Tracker #722106 https://bugzilla.gnome.org/show_bug.cgi?id=722106 ** Also affects: gtk via https://bugzilla.gnome.org/show_bug.cgi?id=722106 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to gtk+3.0 in Ubuntu. https://bugs.launchpad.net/bugs/1366790 Title: Fix for CVE-2014-1949 (GTK 3.10.x) Status in GTK+ GUI Toolkit: Unknown Status in gtk+3.0 package in Ubuntu: Fix Released Status in gtk+3.0 source package in Trusty: Fix Released Status in gtk+3.0 source package in Utopic: Fix Released Status in gtk+3.0 package in Debian: Unknown Bug description: [Impact] Users running gnome-screensaver or cinnamon-screensaver may get their lock screen bypassed by users pressing the menu key before the password prompt turns up. [Testcase] Start GNOME or any other desktop running gnome-screensaver. Open a terminal. Lock the screen. Before pressing any other key, press the menu key on the keyboard. Results: * Without this patch: the menu comes up and after that the terminal, being the window that had focus before the lock, receives all keyboard input. It's very hard to get the input to go to the password field. * With this patch: the password prompt comes up and has focus. Any keys pressed go to the password field. [Regression potential] The patch removes one function from gtk-window (popup-menu) that was only present for a short time. It's already been removed in the gtk version present in Utopic. It's very unlikely that any other issues will come up because of this. [More info] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759145 https://bugzilla.redhat.com/show_bug.cgi?id=1064695 https://mail.gnome.org/archives/commits-list/2014-January/msg03294.html https://github.com/linuxmint/cinnamon-screensaver/issues/44 To manage notifications about this bug go to: https://bugs.launchpad.net/gtk/+bug/1366790/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1366790] Re: Fix for CVE-2014-1949 (GTK 3.10.x)
** Changed in: gtk+3.0 (Debian) Status: Unknown = Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to gtk+3.0 in Ubuntu. https://bugs.launchpad.net/bugs/1366790 Title: Fix for CVE-2014-1949 (GTK 3.10.x) Status in GTK+ GUI Toolkit: Unknown Status in gtk+3.0 package in Ubuntu: Fix Released Status in gtk+3.0 source package in Trusty: Fix Released Status in gtk+3.0 source package in Utopic: Fix Released Status in gtk+3.0 package in Debian: Fix Released Bug description: [Impact] Users running gnome-screensaver or cinnamon-screensaver may get their lock screen bypassed by users pressing the menu key before the password prompt turns up. [Testcase] Start GNOME or any other desktop running gnome-screensaver. Open a terminal. Lock the screen. Before pressing any other key, press the menu key on the keyboard. Results: * Without this patch: the menu comes up and after that the terminal, being the window that had focus before the lock, receives all keyboard input. It's very hard to get the input to go to the password field. * With this patch: the password prompt comes up and has focus. Any keys pressed go to the password field. [Regression potential] The patch removes one function from gtk-window (popup-menu) that was only present for a short time. It's already been removed in the gtk version present in Utopic. It's very unlikely that any other issues will come up because of this. [More info] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759145 https://bugzilla.redhat.com/show_bug.cgi?id=1064695 https://mail.gnome.org/archives/commits-list/2014-January/msg03294.html https://github.com/linuxmint/cinnamon-screensaver/issues/44 To manage notifications about this bug go to: https://bugs.launchpad.net/gtk/+bug/1366790/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1366790] Re: Fix for CVE-2014-1949 (GTK 3.10.x)
** Changed in: gtk Status: Unknown = Fix Released ** Changed in: gtk Importance: Unknown = Medium -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to gtk+3.0 in Ubuntu. https://bugs.launchpad.net/bugs/1366790 Title: Fix for CVE-2014-1949 (GTK 3.10.x) Status in GTK+ GUI Toolkit: Fix Released Status in gtk+3.0 package in Ubuntu: Fix Released Status in gtk+3.0 source package in Trusty: Fix Released Status in gtk+3.0 source package in Utopic: Fix Released Status in gtk+3.0 package in Debian: Fix Released Bug description: [Impact] Users running gnome-screensaver or cinnamon-screensaver may get their lock screen bypassed by users pressing the menu key before the password prompt turns up. [Testcase] Start GNOME or any other desktop running gnome-screensaver. Open a terminal. Lock the screen. Before pressing any other key, press the menu key on the keyboard. Results: * Without this patch: the menu comes up and after that the terminal, being the window that had focus before the lock, receives all keyboard input. It's very hard to get the input to go to the password field. * With this patch: the password prompt comes up and has focus. Any keys pressed go to the password field. [Regression potential] The patch removes one function from gtk-window (popup-menu) that was only present for a short time. It's already been removed in the gtk version present in Utopic. It's very unlikely that any other issues will come up because of this. [More info] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759145 https://bugzilla.redhat.com/show_bug.cgi?id=1064695 https://mail.gnome.org/archives/commits-list/2014-January/msg03294.html https://github.com/linuxmint/cinnamon-screensaver/issues/44 To manage notifications about this bug go to: https://bugs.launchpad.net/gtk/+bug/1366790/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1366790] Re: Fix for CVE-2014-1949 (GTK 3.10.x)
This bug was fixed in the package gtk+3.0 - 3.10.8-0ubuntu1.4 --- gtk+3.0 (3.10.8-0ubuntu1.4) trusty-security; urgency=medium * debian/patches/no_popup_menu_in_gtk_window.patch - Prevents the menu key from opening neverending menus and from taking the focus away from the screensaver (LP: #1366790) -- Margarita Manterola ma...@google.com Thu, 15 Jan 2015 10:47:19 +0100 ** Changed in: gtk+3.0 (Ubuntu Trusty) Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to gtk+3.0 in Ubuntu. https://bugs.launchpad.net/bugs/1366790 Title: Fix for CVE-2014-1949 (GTK 3.10.x) Status in gtk+3.0 package in Ubuntu: Fix Released Status in gtk+3.0 source package in Trusty: Fix Released Status in gtk+3.0 source package in Utopic: Fix Released Bug description: [Impact] Users running gnome-screensaver or cinnamon-screensaver may get their lock screen bypassed by users pressing the menu key before the password prompt turns up. [Testcase] Start GNOME or any other desktop running gnome-screensaver. Open a terminal. Lock the screen. Before pressing any other key, press the menu key on the keyboard. Results: * Without this patch: the menu comes up and after that the terminal, being the window that had focus before the lock, receives all keyboard input. It's very hard to get the input to go to the password field. * With this patch: the password prompt comes up and has focus. Any keys pressed go to the password field. [Regression potential] The patch removes one function from gtk-window (popup-menu) that was only present for a short time. It's already been removed in the gtk version present in Utopic. It's very unlikely that any other issues will come up because of this. [More info] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759145 https://bugzilla.redhat.com/show_bug.cgi?id=1064695 https://mail.gnome.org/archives/commits-list/2014-January/msg03294.html https://github.com/linuxmint/cinnamon-screensaver/issues/44 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gtk+3.0/+bug/1366790/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1366790] Re: Fix for CVE-2014-1949 (GTK 3.10.x)
This bug is still affecting Trusty. Not only it affects cinnamon- screensaver, but it also affects gnome-screensaver. Anyone running either of these two screensavers will suffer their session getting hijacked by someone pressing the menu key before the password box comes up. The patch is simple enough, it has been applied upstream and any further versions of gtk will not be affected. I've built the package with the patch applied and tested that it correctly makes both screensavers behave, plus it gets rid of the infinite-menu problem (the original problem that the commit says it's fixing). I'm attaching the debdiff with the patch. It would be great if this was uploaded to trusty. ** Patch added: Debdiff applying the patch https://bugs.launchpad.net/ubuntu/trusty/+source/gtk+3.0/+bug/1366790/+attachment/4299068/+files/gtk3-menukey.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to gtk+3.0 in Ubuntu. https://bugs.launchpad.net/bugs/1366790 Title: Fix for CVE-2014-1949 (GTK 3.10.x) Status in gtk+3.0 package in Ubuntu: Fix Released Status in gtk+3.0 source package in Trusty: Confirmed Status in gtk+3.0 source package in Utopic: Fix Released Bug description: [Impact] Users running gnome-screensaver or cinnamon-screensaver may get their lock screen bypassed by users pressing the menu key before the password prompt turns up. [Testcase] Start GNOME or any other desktop running gnome-screensaver. Open a terminal. Lock the screen. Before pressing any other key, press the menu key on the keyboard. Results: * Without this patch: the menu comes up and after that the terminal, being the window that had focus before the lock, receives all keyboard input. It's very hard to get the input to go to the password field. * With this patch: the password prompt comes up and has focus. Any keys pressed go to the password field. [Regression potential] The patch removes one function from gtk-window (popup-menu) that was only present for a short time. It's already been removed in the gtk version present in Utopic. It's very unlikely that any other issues will come up because of this. [More info] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759145 https://bugzilla.redhat.com/show_bug.cgi?id=1064695 https://mail.gnome.org/archives/commits-list/2014-January/msg03294.html https://github.com/linuxmint/cinnamon-screensaver/issues/44 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gtk+3.0/+bug/1366790/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1366790] Re: Fix for CVE-2014-1949 (GTK 3.10.x)
** Description changed: - Please see: + [Impact] + Users running gnome-screensaver or cinnamon-screensaver may get their lock screen bypassed by users pressing the menu key before the password prompt turns up. + [Testcase] + Start GNOME or any other desktop running gnome-screensaver. Open a terminal. Lock the screen. Before pressing any other key, press the menu key on the keyboard. + + Results: + * Without this patch: the menu comes up and after that the terminal, being the window that had focus before the lock, receives all keyboard input. It's very hard to get the input to go to the password field. + * With this patch: the password prompt comes up and has focus. Any keys pressed go to the password field. + + [Regression potential] + The patch removes one function from gtk-window (popup-menu) that was only present for a short time. It's already been removed in the gtk version present in Utopic. It's very unlikely that any other issues will come up because of this. + + [More info] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759145 + https://bugzilla.redhat.com/show_bug.cgi?id=1064695 + https://mail.gnome.org/archives/commits-list/2014-January/msg03294.html + https://github.com/linuxmint/cinnamon-screensaver/issues/44 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to gtk+3.0 in Ubuntu. https://bugs.launchpad.net/bugs/1366790 Title: Fix for CVE-2014-1949 (GTK 3.10.x) Status in gtk+3.0 package in Ubuntu: Fix Released Status in gtk+3.0 source package in Trusty: Confirmed Status in gtk+3.0 source package in Utopic: Fix Released Bug description: [Impact] Users running gnome-screensaver or cinnamon-screensaver may get their lock screen bypassed by users pressing the menu key before the password prompt turns up. [Testcase] Start GNOME or any other desktop running gnome-screensaver. Open a terminal. Lock the screen. Before pressing any other key, press the menu key on the keyboard. Results: * Without this patch: the menu comes up and after that the terminal, being the window that had focus before the lock, receives all keyboard input. It's very hard to get the input to go to the password field. * With this patch: the password prompt comes up and has focus. Any keys pressed go to the password field. [Regression potential] The patch removes one function from gtk-window (popup-menu) that was only present for a short time. It's already been removed in the gtk version present in Utopic. It's very unlikely that any other issues will come up because of this. [More info] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759145 https://bugzilla.redhat.com/show_bug.cgi?id=1064695 https://mail.gnome.org/archives/commits-list/2014-January/msg03294.html https://github.com/linuxmint/cinnamon-screensaver/issues/44 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gtk+3.0/+bug/1366790/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1366790] Re: Fix for CVE-2014-1949 (GTK 3.10.x)
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to gtk+3.0 in Ubuntu. https://bugs.launchpad.net/bugs/1366790 Title: Fix for CVE-2014-1949 (GTK 3.10.x) Status in “gtk+3.0” package in Ubuntu: New Bug description: Please see: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759145 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gtk+3.0/+bug/1366790/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1366790] Re: Fix for CVE-2014-1949 (GTK 3.10.x)
CVE-2014-1949 was assigned to cinnamon-screensaver. The fix for this issue actually lies in gtk+3.0, in the following commit: https://git.gnome.org/browse/gtk+/commit/?id=1691bb741d50c90ee938f0b73fe81b0ca9bfd6d4 gtk+3.0 is already fixed in utopic, and we only have connamon- screensaver in utopic. Hence, this issue doesn't have a security impact in trusty. If you would like this fixed in the gtk+3.0 package in trusty, it will need to be done through the SRU process just like other bug fixes. Please see the following for the procedure: https://wiki.ubuntu.com/StableReleaseUpdates ** Also affects: gtk+3.0 (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: gtk+3.0 (Ubuntu Utopic) Importance: Undecided Status: New ** Changed in: gtk+3.0 (Ubuntu Utopic) Status: New = Fix Released ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2014-1949 ** Changed in: gtk+3.0 (Ubuntu Trusty) Status: New = Confirmed ** Information type changed from Public Security to Public -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to gtk+3.0 in Ubuntu. https://bugs.launchpad.net/bugs/1366790 Title: Fix for CVE-2014-1949 (GTK 3.10.x) Status in “gtk+3.0” package in Ubuntu: Fix Released Status in “gtk+3.0” source package in Trusty: Confirmed Status in “gtk+3.0” source package in Utopic: Fix Released Bug description: Please see: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759145 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gtk+3.0/+bug/1366790/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1366790] Re: Fix for CVE-2014-1949 (GTK 3.10.x)
So, GTK3 apps that use context menus shouldn't be fixed to avoid a cascade of menus popping up if they use their menu key? Did you read beyond cinnamon? Should I open a new bug that doesn't say 'security issue'? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to gtk+3.0 in Ubuntu. https://bugs.launchpad.net/bugs/1366790 Title: Fix for CVE-2014-1949 (GTK 3.10.x) Status in “gtk+3.0” package in Ubuntu: Fix Released Status in “gtk+3.0” source package in Trusty: Confirmed Status in “gtk+3.0” source package in Utopic: Fix Released Bug description: Please see: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759145 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gtk+3.0/+bug/1366790/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1366790] Re: Fix for CVE-2014-1949 (GTK 3.10.x)
fwiw, it's been applied to upstream 3.10, thanks for your 'time,' I enjoyed it. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to gtk+3.0 in Ubuntu. https://bugs.launchpad.net/bugs/1366790 Title: Fix for CVE-2014-1949 (GTK 3.10.x) Status in “gtk+3.0” package in Ubuntu: Fix Released Status in “gtk+3.0” source package in Trusty: Confirmed Status in “gtk+3.0” source package in Utopic: Fix Released Bug description: Please see: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759145 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gtk+3.0/+bug/1366790/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp