Bug#895149: marked as done (cinnamon-screensaver: Fails to lock the screen if a menu is selected)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sun, 08 Apr 2018 17:47:11 +0200
with message-id <6340e52e12a36d88d0a65ff83cc94150@debian.org>
and subject line Bug#895149: cinnamon-screensaver: Fails to lock the screen if a menu  is selected
has caused the Debian Bug report #895149,
regarding cinnamon-screensaver: Fails to lock the screen if a menu is selected
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
895149: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895149
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: cinnamon-screensaver: Fails to lock the screen if a menu is selected
• From: Luís Picciochi Oliveira <Pitxyoki@Gmail.com>
• Date: Sat, 07 Apr 2018 19:31:08 +0100
• Message-id: <[🔎] 152312586825.19628.14037284813694971123.reportbug@Laptop-150>

Package: cinnamon-screensaver
Version: 3.6.1-2
Severity: grave
Tags: security
Justification: user security hole

Dear Maintainer,

I found that cinnamon-screensaver does not start if a window menu is clicked.
This can be a security problem as users unaware of this can leave their
computer unlocked unwillingly if they clicked a menu before abandoning or
trusting that their computer will be locked.

To reproduce this, just click the "File" menu in a window. For example, gnome-
terminal's "File" menu.

Starting cinnamon-screensaver in a terminal and looking at its log, I see the
following when the screensaver tries to start:

....

couldn't grab keyboard
couldn't grab keyboard
couldn't grab keyboard
couldn't grab keyboard
couldn't grab keyboard
couldn't grab keyboard
couldn't grab keyboard
couldn't grab keyboard
couldn't grab mouse
couldn't grab mouse
couldn't grab mouse
couldn't grab mouse
Can't fade in screensaver, unable to grab the keyboard

.....

If I unselect the "File" menu and wait for the screensaver to trigger again, it
is then able to do it.

I'm reporting this as a security issue but I understand having this exploited
is somewhat unlikely: it would require the attacker to somehow make (or wait
for) the victim to click a menu and ensuring that he leaves his computer
unlocked and unattended without noticing the screen lock was not triggered.

Thanks and best regards,
Luís Picciochi Oliveira



-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.15.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages cinnamon-screensaver depends on:
ii  cinnamon-desktop-data       3.6.2-2
ii  gir1.2-accountsservice-1.0  0.6.45-1
ii  gir1.2-cinnamondesktop-3.0  3.6.2-2
ii  gir1.2-gkbd-3.0             3.26.0-3
ii  gir1.2-glib-2.0             1.56.0-2
ii  gir1.2-gtk-3.0              3.22.29-2
ii  gir1.2-xapp-1.0             1.0.4-2
ii  iso-flags-png-320x240       1.0.1-1
ii  libc6                       2.27-3
ii  libcscreensaver0            3.6.1-2
ii  libglib2.0-0                2.56.0-4
ii  libgtk-3-0                  3.22.29-2
ii  python3                     3.6.4-1
ii  python3-gi                  3.28.1-1
ii  python3-gi-cairo            3.28.1-1
ii  python3-setproctitle        1.1.10-1+b1
ii  python3-xapp                1.0.1-1
ii  python3-xlib                0.20-3

Versions of packages cinnamon-screensaver recommends:
pn  cinnamon-screensaver-x-plugin  <none>

Versions of packages cinnamon-screensaver suggests:
pn  cinnamon-screensaver-webkit-plugin  <none>

-- no debconf information

--- End Message ---

--- Begin Message ---

• To: 895149-done@bugs.debian.org, Luís Picciochi Oliveira <Pitxyoki@Gmail.com>
• Subject: Bug#895149: cinnamon-screensaver: Fails to lock the screen if a menu is selected
• From: Margarita Manterola <marga@debian.org>
• Date: Sun, 08 Apr 2018 17:47:11 +0200
• Message-id: <6340e52e12a36d88d0a65ff83cc94150@debian.org>

Hi!

I found that cinnamon-screensaver does not start if a window menu is clicked.

This is a known issue with X11. All screensavers running under X are affected. The only solution is to move to Wayland (cinnamon does not yet support Wayland, but I hope it will happen in the not so distant future).

See for example this very old gnome-screensaver bug, where there is some discussion of the issue:

https://bugs.launchpad.net/ubuntu/+source/gnome-screensaver/+bug/49579

This is the existing bug of the X11 package:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514036

The issue is that the screensaver should grab the keyboard and mouse before starting, and when there's an X11 popup, the popup holds keyboard and mouse, not allowing the screensaver to do it.

This can be a security problem as users unaware of this can leave their

computer unlocked unwillingly if they clicked a menu before abandoning or

trusting that their computer will be locked.

There are plenty of things that could cause your screensaver not to start (on top of this one, the key combination that triggers it can sometimes be received by a different program, you could have a video playing on one screen, preventing the screensaver from starting, etc).

If you rely on your screensaver to be started for security reasons, then I recommend that you check that the screensaver has started before moving away from your computer.

I'm closing this bug now, since it's not a cinnamon-screensaver bug.

--
Regards,
Marga

--- End Message ---