search

mate-desktop / mate-screensaver

MATE screen saver and locker
https://mate-desktop.org
GNU General Public License v2.0
48 stars 40 forks source link

mate-screensaver screen lock can be bypassed by power cycling monitor [$110] #155

Closed fizzfaldt closed 5 years ago

fizzfaldt commented 6 years ago

Expected behaviour

Lock Screen Turn off monitor (either by power management putting it to sleep, or by pressing power button) Turn monitor on Start typing Expect to see lock screen on monitor

Actual behaviour

Lock Screen Turn off monitor Turn monitor on Start typing Expect to see lock screen on monitor

Steps to reproduce the behaviour

adddate() {
   while IFS= read -r line; do
      echo "$(date) $line"
   done
}
killall mate-screensaver
mate-screensaver --no-daemon --debug 2>&1 \
  | adddate  > screen.log

Wait 60 seconds Lock screen (I used Window manager shortcut) Wait 60 seconds Power off monitor (soft off) Wait 60 seconds Power on monitor Wait 9 seconds (that's how long it takes monitor to boot) Can see and use screen/type/etc; it is (effectively) unlocked.

Notes/logs: mate-screensaver-command -q reports:

Same as above, annotated with logs: (attached for ease of reading) mate-screensaver --no-daemon --debug mate-screensaver-1.txt

Wait 60 seconds Lock screen (I used Window manager shortcut) mate-screensaver-2.txt

Wait 60 seconds Power off monitor (soft off) mate-screensaver-3.txt dmesg-3.txt

Wait 60 seconds Power on monitor mate-screensaver-4.txt dmesg-4.txt

Wait 9 seconds (that's how long it takes monitor to boot) Can see and use screen/type/etc; it is (effectively) unlocked. dmesg-5.txt

(there is no dmesg-1.txt or dmesg-2.txt or mate-screensaver-5.txt (blank during that time))

Troubleshooting

This occurred on two machines.

Please let me know what other logs/steps may be useful.

MATE general version

1.20.0

Package version

mate-screensaver 1.20.0-1 See attached mate-packages.txt for full list of all mate-related package versions

Linux Distribution

Ubuntu 18.04

Downstream bug link

https://bugs.launchpad.net/ubuntu/+source/mate-screensaver/+bug/1768352

raveit65 commented 6 years ago

One issue which is still there yet, is that the screen flicker for a second, during this second the content of my desktop is shown.

https://github.com/mate-desktop/mate-screensaver/pull/169 Does this help?

Philippe734 commented 5 years ago

mate-screensaver-1.20.2 with the fix is released

How to track the progress of this release for 18.04 LTS Mate? I ask, because with 18.04 Mate, on desktop with any 1 monitor, I can reproduce the issue easily by unplug the display cable (not the power). I tested with HDMI, DVI and DisplayPort. Very ugly issue. Videos: https://bit.ly/2VA4oaT + https://bit.ly/2CRui2t

oz123 commented 5 years ago

mate-screensaver-1.20.2 with the fix is released

How to track the progress of this release for 18.04 LTS Mate? I ask, because with 18.04 Mate, on desktop with any 1 monitor, I can reproduce the issue easily by unplug the display cable (not the power). I tested with HDMI, DVI and DisplayPort. Very ugly issue. Videos: https://bit.ly/2VA4oaT + https://bit.ly/2CRui2t

This ubuntu package version does not include a fix for this. They have 1.20.1 the fix is in 1.20.2, file a bug there so the package the newer version.

sunweaver commented 5 years ago

Hi,

On Sunday, 6 January 2019, Oz N Tiram wrote:

mate-screensaver-1.20.2 with the fix is released

How to track the progress of this release for 18.04 LTS Mate? I ask, because with 18.04 Mate, on desktop with any 1 monitor, I can reproduce the issue easily by unplug the display cable (not the power). I tested with HDMI, DVI and DisplayPort. Very ugly issue. Videos: https://bit.ly/2VA4oaT + https://bit.ly/2CRui2t

This ubuntu package version does not include a fix for this. They have 1.20.1 the fix is in 1.20.2, file a bug there so the package the newer version.

I will upload mate-screensaver 1.20.2 to Debian the coming week, so the fix will appear in Ubuntu 19.04.

Is this whole issue worth a CVE? It sounds like it. If so, please let me know and I will report it to CVE Mitre.

CVEs are more likely to be fixed in Ubuntu LTS than normal bugs.

Mike

-- Sent from my Sailfish device

oz123 commented 5 years ago

@sunweaver please do report a CVE.

lukefromdc commented 5 years ago

Master seems to be in a good state now: power cycling a vga connected primary monitor does nothing, unplugging and replugging an inactive HDMI secondary monitor just brings up the passphrase entry screen.,

sunweaver commented 5 years ago

On So 06 Jan 2019 17:59:35 CET, Oz N Tiram wrote:

@sunweaver please do report a CVE.

Submitted. Waiting for CVE Mitre feedback.

Mike --

DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

sunweaver commented 5 years ago

This is CVE-2018-20681

schneider42 commented 4 years ago

https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20681.html

"needs-triage". I don't think it will be fixed in Ubuntu 18.04 LTS.

mikkorantalainen commented 3 years ago

Confirming that this is still broken in Ubuntu 18.04 LTS. I found out about this issue when I got a LG monitor that triggers this bug on DPMS standby. I'm currently using http://ppa.launchpad.net/spvkgn/mate-bionic/ubuntu as a workaround (https://launchpad.net/~spvkgn/+archive/ubuntu/mate-bionic).