[Bug 1912060] Re: Segfault with gir1.2-caribou-1.0 keyboard device info regression
I changed title and description trying to follow https://wiki.ubuntu.com/StableReleaseUpdates#SRU_Bug_Template as requested ** Description changed: - It was found in cinnamon-screensaver that pressing ē can crash the - screensaver and Cinnamon DE itself. + [Impact] + There is a regression after solving CVE-2020-25712 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25712) in xserver (https://gitlab.freedesktop.org/xorg/xserver/-/commit/87c64fc5b0db9f62f4e361444f4b60501ebf67b9) that make caribou crash pressing ē. - This is a regression of solving CVE-2020-25712 (https://cve.mitre.org - /cgi-bin/cvename.cgi?name=CVE-2020-25712) in xserver - (https://gitlab.freedesktop.org/xorg/xserver/-/commit/87c64fc5b0db9f62f4e361444f4b60501ebf67b9) + In cinnamon-screensaver (>=4.2 where integrated the virtual keyboard) + crash of caribou cause also screensaver crash and make possible access + without insert the correct password, this introduced a security issue. - Supposed patch: - https://gitlab.gnome.org/GNOME/caribou/-/merge_requests/3 + [Test Case] + In cinnamon-screensaver (>=4.2) pressing ē (after long press on e) in virtual keyboard (button at the bottom of the screen in the center) make caribou (and the screensaver) crash and access without insert the correct password. - The following versions of Cinnamon are affected: - 4.4 - Focal - 4.6 - Groovy - 4.8 - Hirsute (unstable) + [Where problems could occur] + The following versions of ubuntu are affected by the security caused by caribou crash of this issue: + - Focal (cinnamon 4.4) + - Groovy (cinnamon 4.6) + - Hirsute (bug solved with 0.4.21-7.1) - Upstream caribou doesn't seem very maintained anymore. Hopefully patch - will be put upstream so Hirsute can be solved. After that I will SRU - Focal and Groovy. - - TL;DR: Caribou segfaults on pressing ē which can cause a screensaver - bypass to cinnamon-screensaver and possibly any screensaver application - using gir1.2-caribou-1.0. - - ProblemType: Bug - DistroRelease: Ubuntu 20.10 - Package: gir1.2-caribou-1.0 0.4.21-7 - ProcVersionSignature: Ubuntu 5.8.0-33.36-generic 5.8.17 - Uname: Linux 5.8.0-33-generic x86_64 - ApportVersion: 2.20.11-0ubuntu50.3 - Architecture: amd64 - CasperMD5CheckResult: skip - CurrentDesktop: ubuntu:GNOME - Date: Sat Jan 16 10:36:59 2021 - InstallationDate: Installed on 2020-10-23 (85 days ago) - InstallationMedia: Ubuntu 20.10 "Groovy Gorilla" - Release amd64 (20201022) - ProcEnviron: - TERM=xterm-256color - PATH=(custom, no user) - XDG_RUNTIME_DIR= - LANG=en_US.UTF-8 - SHELL=/bin/bash - RebootRequiredPkgs: - linux-image-5.8.0-38-generic - linux-base - SourcePackage: caribou - UpgradeStatus: No upgrade log present (probably fresh install) + The patch attached in https://bugs.launchpad.net/ubuntu/+source/caribou/+bug/1912060/comments/4 (for Focal) have the same changes of 0.4.21-7.1 (debian unstable, debian testing and Hirsute) and same patches are used also in some other distros that already applied the fix faster (as security issue) and 1 week or more went by without experiencing regressions at the moment. + The patch is already tested in Focal, can be used also in Groovy (only changing focal->groovy). ** Summary changed: - Segfault with gir1.2-caribou-1.0 keyboard device info regression + [SRU] caribou: Segfault (as regression of xorg CVE-2020-25712 fix) cause security issue for cinnamon ** Patch removed: "patch for focal fix" https://bugs.launchpad.net/ubuntu/+source/caribou/+bug/1912060/+attachment/5455950/+files/caribou_0.4.21-7_0.4.21-7ubuntu0.1.diff -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to caribou in Ubuntu. https://bugs.launchpad.net/bugs/1912060 Title: [SRU] caribou: Segfault (as regression of xorg CVE-2020-25712 fix) cause security issue for cinnamon To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/caribou/+bug/1912060/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1912060] Re: Segfault with gir1.2-caribou-1.0 keyboard device info regression
** Bug watch added: Debian Bug tracker #980061 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980061 ** Also affects: caribou (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980061 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to caribou in Ubuntu. https://bugs.launchpad.net/bugs/1912060 Title: Segfault with gir1.2-caribou-1.0 keyboard device info regression To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/caribou/+bug/1912060/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1912060] Re: Segfault with gir1.2-caribou-1.0 keyboard device info regression
** Changed in: caribou (Ubuntu Focal) Importance: Undecided => Medium ** Changed in: caribou (Ubuntu Groovy) Importance: Undecided => Medium ** Changed in: caribou (Ubuntu Hirsute) Importance: Undecided => Medium ** Tags removed: regression ** Tags added: regression-update -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to caribou in Ubuntu. https://bugs.launchpad.net/bugs/1912060 Title: Segfault with gir1.2-caribou-1.0 keyboard device info regression To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/caribou/+bug/1912060/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1912060] Re: Segfault with gir1.2-caribou-1.0 keyboard device info regression
Awesome. I guess we could patch but I think it may be more necessary since the versions in Focal and Groovy of caribou are the same to just backport. I also need to do some testing ** Changed in: caribou (Ubuntu Focal) Status: Confirmed => In Progress ** Changed in: caribou (Ubuntu Groovy) Status: Confirmed => In Progress -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to caribou in Ubuntu. https://bugs.launchpad.net/bugs/1912060 Title: Segfault with gir1.2-caribou-1.0 keyboard device info regression To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/caribou/+bug/1912060/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1912060] Re: Segfault with gir1.2-caribou-1.0 keyboard device info regression
About Focal patch build tested(https://launchpad.net/~fantonifabio/+archive/ubuntu/ubuntu-fixes/) and also installed and tested the packages (unable to reproduce the issue with new patch applied). On Groovy should work with the same patch (only changing focal->groovy) but I not tested it. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to caribou in Ubuntu. https://bugs.launchpad.net/bugs/1912060 Title: Segfault with gir1.2-caribou-1.0 keyboard device info regression To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/caribou/+bug/1912060/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1912060] Re: Segfault with gir1.2-caribou-1.0 keyboard device info regression
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: caribou (Ubuntu Groovy) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to caribou in Ubuntu. https://bugs.launchpad.net/bugs/1912060 Title: Segfault with gir1.2-caribou-1.0 keyboard device info regression To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/caribou/+bug/1912060/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1912060] Re: Segfault with gir1.2-caribou-1.0 keyboard device info regression
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: caribou (Ubuntu Focal) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to caribou in Ubuntu. https://bugs.launchpad.net/bugs/1912060 Title: Segfault with gir1.2-caribou-1.0 keyboard device info regression To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/caribou/+bug/1912060/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1912060] Re: Segfault with gir1.2-caribou-1.0 keyboard device info regression
** Patch added: "patch for focal fix" https://bugs.launchpad.net/ubuntu/+source/caribou/+bug/1912060/+attachment/5455950/+files/caribou_0.4.21-7_0.4.21-7ubuntu0.1.diff ** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to caribou in Ubuntu. https://bugs.launchpad.net/bugs/1912060 Title: Segfault with gir1.2-caribou-1.0 keyboard device info regression To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/caribou/+bug/1912060/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1912060] Re: Segfault with gir1.2-caribou-1.0 keyboard device info regression
0.4.21-7.1 fix it and is now in Hirsute (sync from debian) ** Changed in: caribou (Ubuntu Hirsute) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to caribou in Ubuntu. https://bugs.launchpad.net/bugs/1912060 Title: Segfault with gir1.2-caribou-1.0 keyboard device info regression To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/caribou/+bug/1912060/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1912060] Re: Segfault with gir1.2-caribou-1.0 keyboard device info regression
The main patch has been merged upstream in caribou, but build fails. https://gitlab.com/linuxmint/pins/mint/caribou/-/commit/72fd18b747aea7bb9cf134dc62f2a85b2b4698dc - a new patch is needed too (it will in the debdiffs for Focal and Groovy be in the same patch) so hopefully that'll get merged and hopefully soon a release. ** Changed in: caribou (Ubuntu Hirsute) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to caribou in Ubuntu. https://bugs.launchpad.net/bugs/1912060 Title: Segfault with gir1.2-caribou-1.0 keyboard device info regression To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/caribou/+bug/1912060/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1912060] Re: Segfault with gir1.2-caribou-1.0 keyboard device info regression
** Changed in: caribou (Ubuntu Focal) Assignee: (unassigned) => Joshua Peisach (itzswirlz) ** Changed in: caribou (Ubuntu Groovy) Assignee: (unassigned) => Joshua Peisach (itzswirlz) -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to caribou in Ubuntu. https://bugs.launchpad.net/bugs/1912060 Title: Segfault with gir1.2-caribou-1.0 keyboard device info regression To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/caribou/+bug/1912060/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1912060] Re: Segfault with gir1.2-caribou-1.0 keyboard device info regression
** Also affects: caribou (Ubuntu Groovy) Importance: Undecided Status: New ** Also affects: caribou (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: caribou (Ubuntu Hirsute) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to caribou in Ubuntu. https://bugs.launchpad.net/bugs/1912060 Title: Segfault with gir1.2-caribou-1.0 keyboard device info regression To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/caribou/+bug/1912060/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1912060] Re: Segfault with gir1.2-caribou-1.0 keyboard device info regression
** Description changed: It was found in cinnamon-screensaver that pressing ē can crash the screensaver and Cinnamon DE itself. This is a regression of solving CVE-2020-25712 (https://cve.mitre.org /cgi-bin/cvename.cgi?name=CVE-2020-25712) in xserver (https://gitlab.freedesktop.org/xorg/xserver/-/commit/87c64fc5b0db9f62f4e361444f4b60501ebf67b9) + + Supposed patch: + https://gitlab.gnome.org/GNOME/caribou/-/merge_requests/3 The following versions of Cinnamon are affected: 4.4 - Focal 4.6 - Groovy 4.8 - Hirsute (unstable) Upstream caribou doesn't seem very maintained anymore. Hopefully patch will be put upstream so Hirsute can be solved. After that I will SRU Focal and Groovy. TL;DR: Caribou segfaults on pressing ē which can cause a screensaver bypass to cinnamon-screensaver and possibly any screensaver application using gir1.2-caribou-1.0. ProblemType: Bug DistroRelease: Ubuntu 20.10 Package: gir1.2-caribou-1.0 0.4.21-7 ProcVersionSignature: Ubuntu 5.8.0-33.36-generic 5.8.17 Uname: Linux 5.8.0-33-generic x86_64 ApportVersion: 2.20.11-0ubuntu50.3 Architecture: amd64 CasperMD5CheckResult: skip CurrentDesktop: ubuntu:GNOME Date: Sat Jan 16 10:36:59 2021 InstallationDate: Installed on 2020-10-23 (85 days ago) InstallationMedia: Ubuntu 20.10 "Groovy Gorilla" - Release amd64 (20201022) ProcEnviron: - TERM=xterm-256color - PATH=(custom, no user) - XDG_RUNTIME_DIR= - LANG=en_US.UTF-8 - SHELL=/bin/bash + TERM=xterm-256color + PATH=(custom, no user) + XDG_RUNTIME_DIR= + LANG=en_US.UTF-8 + SHELL=/bin/bash RebootRequiredPkgs: - linux-image-5.8.0-38-generic - linux-base + linux-image-5.8.0-38-generic + linux-base SourcePackage: caribou UpgradeStatus: No upgrade log present (probably fresh install) -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to caribou in Ubuntu. https://bugs.launchpad.net/bugs/1912060 Title: Segfault with gir1.2-caribou-1.0 keyboard device info regression To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/caribou/+bug/1912060/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs