Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu,  2 Oct 2014 12:33:54 -0400 (EDT)
Subject: Re: gnome-shell lockscreen bypass with printscreen key

Hash: SHA1


Clearly, something is wrong, but the CVE ID or IDs need to apply to a
specific aspect of the problem.

Our understanding from is that "the
prtsc key is not disabled when the screen is locked" is intentional
behavior. Thus, that's not the root cause. It might be reasonable to
argue that, as a consequence, anyone with physical access to that key
is implicitly allowed to consume memory and disk space. In many
environments, anyone with physical access to that key also happens to
be able to turn off the computer.

There could be a CVE assignment for - "for that
short period of time those windows are not only shown (which is a bad
enough privacy issue on it's own), but also accept input (which makes
the already-bad issue even worse)." However, the bug discussion
doesn't suggest that there's a reasonable way to solve this within
gnome-shell itself. In other words, gnome-shell doesn't have any
direct or immediate ability to control the screen when it's not

Possibly we're left with the following, which is unusual for a CVE but
still valid: "PrtSc is an unauthenticated request that's available to
untrusted parties. It's also a very expensive request. The combination
of this PrtSc behavior and the existence of the oom-killer allows
authentication bypass for command execution. Therefore, PrtSc must be
rate limited, and the lack of rate limiting is a vulnerability."
Unless there's a better alternative, the CVE ID will be assigned for
that vulnerability characterization.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.