Debian Bug report logs - #759145
Followup: CVE-2014-1949: cinnamon-screensaver can be bypassed by pressing Menu key

version graph

Package: libgtk-3-0; Maintainer for libgtk-3-0 is Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>; Source for libgtk-3-0 is src:gtk+3.0 (PTS, buildd, popcon).

Reported by: Michael Webster <miketwebster@gmail.com>

Date: Sun, 24 Aug 2014 19:48:01 UTC

Severity: important

Tags: fixed-upstream, jessie, security, upstream

Found in version 3.10.8~4

Fixed in version gtk+3.0/3.11.8-1

Done: Vlad Orlov <monsta@inbox.ru>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, miketwebster@gmail.com, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#759145; Package libgtk-3-0. (Sun, 24 Aug 2014 19:48:06 GMT) (full text, mbox, link).


Acknowledgement sent to Michael Webster <miketwebster@gmail.com>:
New Bug report received and forwarded. Copy sent to miketwebster@gmail.com, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>. (Sun, 24 Aug 2014 19:48:06 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Michael Webster <miketwebster@gmail.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Followup: CVE-2014-1949: cinnamon-screensaver can be bypassed by pressing Menu key
Date: Sun, 24 Aug 2014 15:45:45 -0400
Package: libgtk-3-0
Version: 3.10.8~4
Severity: important
Tags: upstream

Just a followup to the referenced bug, at https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=738828

This appears to be the commit that fixes the issue:
https://git.gnome.org/browse/gtk+/commit/?id=1691bb741d50c90ee938f0b73fe81b0ca9bfd6d4

Testing locally confirms.

An easier way to manifest this issue is to open a gtk3 app (Such as gnome-
terminal), activate the physical menu key (NOT your DE's 'menu' key) - the one
traditionally to the right of the space bar, and usually displaying a small
context menu picture on it.  Once the gnome-terminal context menu pops up, keep
pressing the menu key.  This will spawn endless GtkWindow 'fallback' popup
menus - more noticeable if you move the pointer while doing this.  This issue
was originally reported here:
https://github.com/linuxmint/Cinnamon/issues/3443.

An effective patch for cinnamon-screensaver (to address the security issue) is
here: https://github.com/mtwebster/cinnamon-
screensaver/commit/da7af55f1fa966c52e15cc288d4f8928eca8cc9f which will prevent
the GtkWindow popup_menu from ever getting called.




-- System Information:
Debian Release: jessie/sid
  APT prefers trusty-updates
  APT policy: (500, 'trusty-updates'), (500, 'trusty-security'), (500, 'trusty')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.13.0-24-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libgtk-3-0 depends on:
ii  libatk-bridge2.0-0   2.10.2-2ubuntu1
ii  libatk1.0-0          2.10.0-2ubuntu2
ii  libc6                2.19-0ubuntu6.1
ii  libcairo-gobject2    1.13.0~20140204-0ubuntu1
ii  libcairo2            1.13.0~20140204-0ubuntu1
ii  libcolord1           1.0.6-1
ii  libcups2             1.7.2-0ubuntu1.1
ii  libfontconfig1       2.11.0-0ubuntu4.1
ii  libgdk-pixbuf2.0-0   2.30.7-0ubuntu1
ii  libglib2.0-0         2.40.0-2
ii  libgtk-3-common      3.10.8~4
ii  libpango-1.0-0       1.36.3-1ubuntu1
ii  libpangocairo-1.0-0  1.36.3-1ubuntu1
ii  libpangoft2-1.0-0    1.36.3-1ubuntu1
ii  libwayland-client0   1.4.0-1ubuntu1
ii  libwayland-cursor0   1.4.0-1ubuntu1
ii  libx11-6             2:1.6.2-1ubuntu2
ii  libxcomposite1       1:0.4.4-1
ii  libxcursor1          1:1.1.14-1
ii  libxdamage1          1:1.1.4-1ubuntu1
ii  libxext6             2:1.3.2-1
ii  libxfixes3           1:5.0.1-1ubuntu1
ii  libxi6               2:1.7.1.901-1ubuntu1
ii  libxinerama1         2:1.1.3-1
ii  libxkbcommon0        0.4.1-0ubuntu1
ii  libxrandr2           2:1.4.2-1
ii  multiarch-support    2.19-0ubuntu6.1
ii  shared-mime-info     1.2-0ubuntu3

Versions of packages libgtk-3-0 recommends:
ii  hicolor-icon-theme  0.13-1
ii  libgtk-3-bin        3.10.8~4

Versions of packages libgtk-3-0 suggests:
ii  gvfs             1.20.1-1ubuntu1
ii  librsvg2-common  2.40.2-1

-- no debconf information



Added tag(s) security. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 25 Aug 2014 06:21:04 GMT) (full text, mbox, link).


Marked as fixed in versions gtk+3.0/3.11.8-1. Request was from Margarita Manterola <marga@debian.org> to control@bugs.debian.org. (Thu, 15 Jan 2015 10:51:05 GMT) (full text, mbox, link).


Added tag(s) fixed-upstream and jessie. Request was from Vlad Orlov <monsta@inbox.ru> to control@bugs.debian.org. (Sun, 31 May 2015 09:51:08 GMT) (full text, mbox, link).


Reply sent to Vlad Orlov <monsta@inbox.ru>:
You have taken responsibility. (Sun, 31 May 2015 09:54:07 GMT) (full text, mbox, link).


Notification sent to Michael Webster <miketwebster@gmail.com>:
Bug acknowledged by developer. (Sun, 31 May 2015 09:54:07 GMT) (full text, mbox, link).


Message #16 received at 759145-done@bugs.debian.org (full text, mbox, reply):

From: Vlad Orlov <monsta@inbox.ru>
To: 759145-done@bugs.debian.org
Subject: fixed in Jessie several months ago -> closing
Date: Sun, 31 May 2015 12:48:18 +0300


Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 29 Jun 2015 07:30:44 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 06:16:32 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.