[Bug 1912060] Re: [SRU] caribou: Segfault (as regression of xorg CVE-2020-25712 fix) cause security issue for cinnamon

Marc Deslauriers 1912060 at bugs.launchpad.net
Thu Jan 28 15:15:59 UTC 2021 

The focal debdiff has an extra commit that the groovy debdiff does't
have, and it doesn't look like that commit is in the upstream repo:

>From 85ac8f9e210243d95163cf8b1013470a6d9c7eaa Mon Sep 17 00:00:00 2001
From: Clement Lefebvre <clement.lefebvre at linuxmint.com>
Date: Tue, 12 Jan 2021 17:30:25 +0000
Subject: [PATCH 2/4] Fix subkey popmenu not showing after being dismissed

Could someone please investigate if that commit is needed or not, and
adjust the focal and/or groovy debdiffs as appropriate.

Thanks!

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1912060

Title:
  [SRU] caribou: Segfault (as regression of xorg CVE-2020-25712 fix)
  cause security issue for cinnamon

Status in caribou package in Ubuntu:
  Fix Released
Status in caribou source package in Focal:
  In Progress
Status in caribou source package in Groovy:
  In Progress
Status in caribou source package in Hirsute:
  Fix Released
Status in caribou package in Debian:
  Unknown

Bug description:
  [Impact]
  There is a regression after solving CVE-2020-25712 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25712) in xserver (https://gitlab.freedesktop.org/xorg/xserver/-/commit/87c64fc5b0db9f62f4e361444f4b60501ebf67b9) that make caribou crash pressing ē.

  In cinnamon-screensaver (>=4.2 where integrated the virtual keyboard)
  crash of caribou cause also screensaver crash and make possible access
  without insert the correct password, this introduced a security issue.

  [Test Case]
  In cinnamon-screensaver (>=4.2) pressing ē (after long press on e) in virtual keyboard (button at the bottom of the screen in the center) make caribou (and the screensaver) crash and access without insert the correct password.

  [Where problems could occur]
  The following versions of ubuntu are affected by the security caused by caribou crash of this issue:
  - Focal (cinnamon 4.4)
  - Groovy (cinnamon 4.6)
  - Hirsute (bug solved with 0.4.21-7.1)

  The patch attached in comment #10 (for Focal) have the same changes of 0.4.21-7.1 (debian unstable, debian testing and Hirsute) and same patches are used also in some other distros that already applied the fix faster (as security issue) and 1 week or more went by without experiencing regressions at the moment.
  The patch is already tested in Focal, can be used also in Groovy (only changing focal->groovy).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/caribou/+bug/1912060/+subscriptions

More information about the Ubuntu-sponsors mailing list