I changed title and description trying to follow https://wiki.ubuntu.com/StableReleaseUpdates#SRU_Bug_Template as requested
** Description changed: - It was found in cinnamon-screensaver that pressing ē can crash the - screensaver and Cinnamon DE itself. + [Impact] + There is a regression after solving CVE-2020-25712 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25712) in xserver (https://gitlab.freedesktop.org/xorg/xserver/-/commit/87c64fc5b0db9f62f4e361444f4b60501ebf67b9) that make caribou crash pressing ē. - This is a regression of solving CVE-2020-25712 (https://cve.mitre.org - /cgi-bin/cvename.cgi?name=CVE-2020-25712) in xserver - (https://gitlab.freedesktop.org/xorg/xserver/-/commit/87c64fc5b0db9f62f4e361444f4b60501ebf67b9) + In cinnamon-screensaver (>=4.2 where integrated the virtual keyboard) + crash of caribou cause also screensaver crash and make possible access + without insert the correct password, this introduced a security issue. - Supposed patch: - https://gitlab.gnome.org/GNOME/caribou/-/merge_requests/3 + [Test Case] + In cinnamon-screensaver (>=4.2) pressing ē (after long press on e) in virtual keyboard (button at the bottom of the screen in the center) make caribou (and the screensaver) crash and access without insert the correct password. - The following versions of Cinnamon are affected: - 4.4 - Focal - 4.6 - Groovy - 4.8 - Hirsute (unstable) + [Where problems could occur] + The following versions of ubuntu are affected by the security caused by caribou crash of this issue: + - Focal (cinnamon 4.4) + - Groovy (cinnamon 4.6) + - Hirsute (bug solved with 0.4.21-7.1) - Upstream caribou doesn't seem very maintained anymore. Hopefully patch - will be put upstream so Hirsute can be solved. After that I will SRU - Focal and Groovy. - - TL;DR: Caribou segfaults on pressing ē which can cause a screensaver - bypass to cinnamon-screensaver and possibly any screensaver application - using gir1.2-caribou-1.0. - - ProblemType: Bug - DistroRelease: Ubuntu 20.10 - Package: gir1.2-caribou-1.0 0.4.21-7 - ProcVersionSignature: Ubuntu 5.8.0-33.36-generic 5.8.17 - Uname: Linux 5.8.0-33-generic x86_64 - ApportVersion: 2.20.11-0ubuntu50.3 - Architecture: amd64 - CasperMD5CheckResult: skip - CurrentDesktop: ubuntu:GNOME - Date: Sat Jan 16 10:36:59 2021 - InstallationDate: Installed on 2020-10-23 (85 days ago) - InstallationMedia: Ubuntu 20.10 "Groovy Gorilla" - Release amd64 (20201022) - ProcEnviron: - TERM=xterm-256color - PATH=(custom, no user) - XDG_RUNTIME_DIR=<set> - LANG=en_US.UTF-8 - SHELL=/bin/bash - RebootRequiredPkgs: - linux-image-5.8.0-38-generic - linux-base - SourcePackage: caribou - UpgradeStatus: No upgrade log present (probably fresh install) + The patch attached in https://bugs.launchpad.net/ubuntu/+source/caribou/+bug/1912060/comments/4 (for Focal) have the same changes of 0.4.21-7.1 (debian unstable, debian testing and Hirsute) and same patches are used also in some other distros that already applied the fix faster (as security issue) and 1 week or more went by without experiencing regressions at the moment. + The patch is already tested in Focal, can be used also in Groovy (only changing focal->groovy). ** Summary changed: - Segfault with gir1.2-caribou-1.0 keyboard device info regression + [SRU] caribou: Segfault (as regression of xorg CVE-2020-25712 fix) cause security issue for cinnamon ** Patch removed: "patch for focal fix" https://bugs.launchpad.net/ubuntu/+source/caribou/+bug/1912060/+attachment/5455950/+files/caribou_0.4.21-7_0.4.21-7ubuntu0.1.diff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1912060 Title: [SRU] caribou: Segfault (as regression of xorg CVE-2020-25712 fix) cause security issue for cinnamon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/caribou/+bug/1912060/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
