Bug#895149: cinnamon-screensaver: Fails to lock the screen if a menu is selected

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#895149: cinnamon-screensaver: Fails to lock the screen if a menu is selected
From: Luís Picciochi Oliveira <Pitxyoki@Gmail.com>
Date: Sat, 07 Apr 2018 19:31:08 +0100
Message-id: <[🔎] 152312586825.19628.14037284813694971123.reportbug@Laptop-150>
Reply-to: Luís Picciochi Oliveira <Pitxyoki@Gmail.com>, 895149@bugs.debian.org

Package: cinnamon-screensaver
Version: 3.6.1-2
Severity: grave
Tags: security
Justification: user security hole

Dear Maintainer,

I found that cinnamon-screensaver does not start if a window menu is clicked.
This can be a security problem as users unaware of this can leave their
computer unlocked unwillingly if they clicked a menu before abandoning or
trusting that their computer will be locked.

To reproduce this, just click the "File" menu in a window. For example, gnome-
terminal's "File" menu.

Starting cinnamon-screensaver in a terminal and looking at its log, I see the
following when the screensaver tries to start:

....

couldn't grab keyboard
couldn't grab keyboard
couldn't grab keyboard
couldn't grab keyboard
couldn't grab keyboard
couldn't grab keyboard
couldn't grab keyboard
couldn't grab keyboard
couldn't grab mouse
couldn't grab mouse
couldn't grab mouse
couldn't grab mouse
Can't fade in screensaver, unable to grab the keyboard

.....

If I unselect the "File" menu and wait for the screensaver to trigger again, it
is then able to do it.

I'm reporting this as a security issue but I understand having this exploited
is somewhat unlikely: it would require the attacker to somehow make (or wait
for) the victim to click a menu and ensuring that he leaves his computer
unlocked and unattended without noticing the screen lock was not triggered.

Thanks and best regards,
Luís Picciochi Oliveira



-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.15.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages cinnamon-screensaver depends on:
ii  cinnamon-desktop-data       3.6.2-2
ii  gir1.2-accountsservice-1.0  0.6.45-1
ii  gir1.2-cinnamondesktop-3.0  3.6.2-2
ii  gir1.2-gkbd-3.0             3.26.0-3
ii  gir1.2-glib-2.0             1.56.0-2
ii  gir1.2-gtk-3.0              3.22.29-2
ii  gir1.2-xapp-1.0             1.0.4-2
ii  iso-flags-png-320x240       1.0.1-1
ii  libc6                       2.27-3
ii  libcscreensaver0            3.6.1-2
ii  libglib2.0-0                2.56.0-4
ii  libgtk-3-0                  3.22.29-2
ii  python3                     3.6.4-1
ii  python3-gi                  3.28.1-1
ii  python3-gi-cairo            3.28.1-1
ii  python3-setproctitle        1.1.10-1+b1
ii  python3-xapp                1.0.1-1
ii  python3-xlib                0.20-3

Versions of packages cinnamon-screensaver recommends:
pn  cinnamon-screensaver-x-plugin  <none>

Versions of packages cinnamon-screensaver suggests:
pn  cinnamon-screensaver-webkit-plugin  <none>

-- no debconf information

Reply to:

Follow-Ups:
- Bug#895149: marked as done (cinnamon-screensaver: Fails to lock the screen if a menu is selected)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#895058: cinnamon-control-center segfaults when opening network settings
Next by Date: Bug#895150: cinnamon-screensaver-command: Crashes and hangs when unable to grab the keyboard/mouse
Previous by thread: Bug#895058: marked as done (cinnamon-control-center segfaults when opening network settings)
Next by thread: Bug#895149: marked as done (cinnamon-screensaver: Fails to lock the screen if a menu is selected)
Index(es):
- Date
- Thread