Disclosed information about a screen saver vulnerability cinnamon-screensaver , a Linux Mint distribution that allows log into a locked user session without entering a password on systems with multiple keyboard layouts. The problem can be used to gain access to the data of a user who has left his computer unattended for a while.
The problem is exploited in a trivial way – to bypass the screen lock, just call the virtual keyboard, switch to another layout, and then select “ē” in the top panel several times , “q”, or other letters not present in the active keyboard layout. The vulnerability manifests itself in Linux Mint and various Arch and Debian Testing editions that ship with the Cinnamon desktop. Fedora 33/34 and Debian 10 are not affected by this issue, as they automatically change the layout to US. The exploitation of the problem is possible since the release of Cinnamon 4.2, which added support for calling the on-screen keyboard from the screen saver. Updates to fix the vulnerability are already in place for Linux Mint 19.x, Mint 20.x and LMDE 4. No CVE ID has been assigned to this issue yet.
It is noteworthy that the problem was discovered after the children of one of the developers played “hacking” their father’s computer, pressing random keys while locking the screen and clicking on everything. The developer watched this process and was quite surprised when the “hack” was successful and the screen lock disappeared. The last actions of the children were the simultaneous pressing on the regular and on-screen keyboard, which led to the collapse of the screen saver. The first thought was that this was a coincidence, but the children managed to repeat the unlock a second time.
Analysis showed that the problem was caused by regression caused by a recent vulnerabilities in the X server ( CVE-2020-25712 ) related to a buffer overflow in the XkbSetDeviceInfo () and SetDeviceIndicators () functions. Remediation changes resulted in crash conditions in the libcaribou library used by the on-screen keyboard Caribou . When calling on-screen keyboard functionality from a screen saver, a crash in libcaribou caused the screen saver itself to crash and resume access to the locked desktop.