Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 574270 (CVE-2016-2312)

Summary: <kde-plasma/plasma-workspace-5.4.3-r1, <kde-plasma/kscreenlocker-5.5.4-r1 - lock screen bypass
Product: Gentoo Security Reporter: Michael Palimaka (kensington) <kensington>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: kde
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.kde.org/info/security/advisory-20160209-1.txt
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---

Description Michael Palimaka (kensington) gentoo-dev 2016-02-09 15:54:58 UTC 
KDE Project Security Advisory
=============================

Title:          plasma-workspace, kscreenlocker: Lock screen bypass
Risk Rating:    Low
CVE:            
Platforms:      X11
Versions:       plasma-workspace < 5.5.0, kscreenlocker < 5.5.5
Author:         Martin Gräßlin mgraesslin@kde.org
Date:           09 February 2016

Overview
========

Turning all screens off while the lock screen is shown can result in the screen being unlocked when turning a screen on again.

Impact
======

An unauthorized user might gain access to a locked system. Physical access to the hardware is required.

Workaround
==========

None

Solution
========

For plasma-workspace apply the following patches:
 5.0 branch: http://commits.kde.org/plasma-workspace/5651785ad6663e2ef4d12a94b0b5f1cb7d40a9a1
 5.1 branch: http://commits.kde.org/plasma-workspace/1fe565e5dae31e57d81556b07e7459be14c5d834
 5.2 branch: http://commits.kde.org/plasma-workspace/e1036973552a8964dffcbca0743eb1accc14bc56
 5.3 branch: http://commits.kde.org/plasma-workspace/de6e19fd8c30166bdbc1333dcd5ef2278f570fa2
 5.4 branch: http://commits.kde.org/plasma-workspace/23a9ed7ba9995570227dbcd69c23f009de7dde49

For kscreenlocker upgrade to Plasma 5.5.5 (after 1 March 2016) or apply the following patch:
http://commits.kde.org/kscreenlocker/fae65f1cdd6446042b31ccd0eafd7a4c0b6623e3

References
==========

https://bugs.kde.org/show_bug.cgi?id=358125
https://bugzilla.opensuse.org/show_bug.cgi?id=964548

Credits
=======

Thanks to Dirk Weber for finding the issue, the openSUSE community for helping investigating and Martin Gräßlin for fixing the issue.
Comment 1 Michael Palimaka (kensington) gentoo-dev 2016-02-09 16:30:28 UTC 
All versions in the tree are fixed.
Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-02-09 22:43:14 UTC 
(In reply to Michael Palimaka (kensington) from comment #1)
> All versions in the tree are fixed.

Thanks :)

No stable version, setting noglsa. 

CVE request at http://www.openwall.com/lists/oss-security/2016/02/09/4 . Bug can be closed once that is added