Debian Bug report logs -
#738828
CVE-2014-1949: cinnamon-screensaver can be bypassed by pressing Menu key
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Thu, 13 Feb 2014 10:00:01 UTC
Severity: grave
Tags: security
Found in version gtk+3.0/3.10.7-1
Fixed in version 3.11.8-1
Done: Margarita Manterola <marga@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Nicolas Bourdaud <nicolas.bourdaud@gmail.com>:
Bug#738828; Package cinnamon.
(Thu, 13 Feb 2014 10:00:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Nicolas Bourdaud <nicolas.bourdaud@gmail.com>.
(Thu, 13 Feb 2014 10:00:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: cinnamon
Severity: grave
Tags: security
Justification: user security hole
This was assigned CVE-2014-1949:
http://www.openwall.com/lists/oss-security/2014/02/12/7
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Maximiliano Curia <maxy@debian.org>:
Bug#738828; Package cinnamon.
(Wed, 14 May 2014 17:48:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Laurento Frittella <laurento.frittella@gmail.com>:
Extra info received and forwarded to list. Copy sent to Maximiliano Curia <maxy@debian.org>.
(Wed, 14 May 2014 17:48:07 GMT) (full text, mbox, link).
Message #10 received at 738828@bugs.debian.org (full text, mbox, reply):
Here is the related upstream bug report on github:
https://github.com/linuxmint/cinnamon-screensaver/issues/44
Cheers,
Laurento
Marked as fixed in versions cinnamon/2.2.14-1.
Request was from Lars Cebulla <lars.cebu@googlemail.com>
to control@bugs.debian.org.
(Wed, 16 Jul 2014 22:27:11 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Cinnamon Team <pkg-cinnamon-team@lists.alioth.debian.org>:
Bug#738828; Package cinnamon.
(Sat, 19 Jul 2014 16:42:05 GMT) (full text, mbox, link).
Acknowledgement sent
to fantonifabio@tiscali.it:
Extra info received and forwarded to list. Copy sent to Debian Cinnamon Team <pkg-cinnamon-team@lists.alioth.debian.org>.
(Sat, 19 Jul 2014 16:42:05 GMT) (full text, mbox, link).
Message #17 received at 738828@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Today I spoken in upstream's devel chat about it, this bug is still
present even if not always reproducible.
Affect older cinnamon's debian package and new cinnamon-screensaver.
One user have posted a "bad and probably partial" fix:
https://github.com/RavetcoFX/cinnamon-screensaver/commit/89150d21004faf63722e6c47af639071de42c6e6
I have some doubts on how to go about it, experts debian's developerscan
give me some advices please?
Thanks for any reply and sorry for my bad english.
[smime.p7s (application/pkcs7-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Cinnamon Team <pkg-cinnamon-team@lists.alioth.debian.org>:
Bug#738828; Package cinnamon.
(Sat, 19 Jul 2014 22:27:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Maximiliano Curia <maxy@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Cinnamon Team <pkg-cinnamon-team@lists.alioth.debian.org>.
(Sat, 19 Jul 2014 22:27:05 GMT) (full text, mbox, link).
Message #22 received at 738828@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
¡Hola Fabio!
El 2014-07-19 a las 18:33 +0200, Fabio Fantoni escribió:
> Today I spoken in upstream's devel chat about it, this bug is still
> present even if not always reproducible.
> Affect older cinnamon's debian package and new cinnamon-screensaver.
> One user have posted a "bad and probably partial" fix:
> https://github.com/RavetcoFX/cinnamon-screensaver/commit/89150d21004faf63722e6c47af639071de42c6e6
> I have some doubts on how to go about it, experts debian's developerscan
> give me some advices please?
After a while checking the issue, we could reproduce the issue installing the
gtk 3.10 and it's solved with gtk 3.12.
Using the packages from snapshots, the problem is reproduceable with gtk
3.10.7 and is fixed in 3.11.5. We haven't yet found the exact fix.
Happy hacking,
--
"We must be very careful when we give advice to younger people: sometimes they
follow it!"
-- Edsger W. Dijkstra
Saludos /\/\ /\ >< `/
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Cinnamon Team <pkg-cinnamon-team@lists.alioth.debian.org>:
Bug#738828; Package cinnamon.
(Sat, 26 Jul 2014 14:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Margarita Manterola <marga@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Cinnamon Team <pkg-cinnamon-team@lists.alioth.debian.org>.
(Sat, 26 Jul 2014 14:27:04 GMT) (full text, mbox, link).
Message #27 received at 738828@bugs.debian.org (full text, mbox, reply):
retitle 738828 CVE-2014-1949: cinnamon-screensaver can be bypassed by pressing Menu key
reassign 738828 libgtk-3-0 3.10.7-1
fixed 738828 libgtk-3-0 3.11.8-1
thanks
So, as mentioned in the previous update, this bug only triggers with GTK 3.10,
and is already fixed in 3.11.8. The amount of differences between one and the
other are quite a lot, and therefore finding the exact fix (needed for Ubuntu
Trusty, not for Debian Jessie) is not simple.
But since this bug can be fixed by changing the GTK version, and 3.12 is already
available in Debian, I'm reassigning as closing here.
--
Regards,
Marga
Changed Bug title to 'CVE-2014-1949: cinnamon-screensaver can be bypassed by pressing Menu key' from 'cinnamon: CVE-2014-1949'
Request was from Margarita Manterola <marga@debian.org>
to control@bugs.debian.org.
(Sat, 26 Jul 2014 14:27:08 GMT) (full text, mbox, link).
Bug reassigned from package 'cinnamon' to 'libgtk-3-0'.
Request was from Margarita Manterola <marga@debian.org>
to control@bugs.debian.org.
(Sat, 26 Jul 2014 14:27:09 GMT) (full text, mbox, link).
No longer marked as fixed in versions cinnamon/2.2.14-1.
Request was from Margarita Manterola <marga@debian.org>
to control@bugs.debian.org.
(Sat, 26 Jul 2014 14:27:09 GMT) (full text, mbox, link).
Marked as found in versions gtk+3.0/3.10.7-1.
Request was from Margarita Manterola <marga@debian.org>
to control@bugs.debian.org.
(Sat, 26 Jul 2014 14:27:10 GMT) (full text, mbox, link).
Reply sent
to Margarita Manterola <marga@debian.org>:
You have taken responsibility.
(Sat, 26 Jul 2014 21:00:10 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Sat, 26 Jul 2014 21:00:10 GMT) (full text, mbox, link).
Message #40 received at 738828-done@bugs.debian.org (full text, mbox, reply):
Version: 3.11.8-1
Re-closing, my previous update was intended to close this bug, but it didn't
because of a syntax error.
The bug is fixed with libgtk versions 3.11.8-1 and upper.
--
Regards,
Marga
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 Aug 2014 07:27:14 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:36:58 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon