Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 574270 (CVE-2016-2312) - <kde-plasma/plasma-workspace-5.4.3-r1, <kde-plasma/kscreenlocker-5.5.4-r1 - lock screen bypass
Summary: <kde-plasma/plasma-workspace-5.4.3-r1, <kde-plasma/kscreenlocker-5.5.4-r1 - l...
Status: RESOLVED FIXED
Alias: CVE-2016-2312
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.kde.org/info/security/adv...
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-02-09 15:54 UTC by Michael Palimaka (kensington)
Modified: 2016-02-09 23:48 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Palimaka (kensington) gentoo-dev 2016-02-09 15:54:58 UTC
KDE Project Security Advisory
=============================

Title:          plasma-workspace, kscreenlocker: Lock screen bypass
Risk Rating:    Low
CVE:            
Platforms:      X11
Versions:       plasma-workspace < 5.5.0, kscreenlocker < 5.5.5
Author:         Martin Gräßlin mgraesslin@kde.org
Date:           09 February 2016

Overview
========

Turning all screens off while the lock screen is shown can result in the screen being unlocked when turning a screen on again.

Impact
======

An unauthorized user might gain access to a locked system. Physical access to the hardware is required.

Workaround
==========

None

Solution
========

For plasma-workspace apply the following patches:
 5.0 branch: http://commits.kde.org/plasma-workspace/5651785ad6663e2ef4d12a94b0b5f1cb7d40a9a1
 5.1 branch: http://commits.kde.org/plasma-workspace/1fe565e5dae31e57d81556b07e7459be14c5d834
 5.2 branch: http://commits.kde.org/plasma-workspace/e1036973552a8964dffcbca0743eb1accc14bc56
 5.3 branch: http://commits.kde.org/plasma-workspace/de6e19fd8c30166bdbc1333dcd5ef2278f570fa2
 5.4 branch: http://commits.kde.org/plasma-workspace/23a9ed7ba9995570227dbcd69c23f009de7dde49

For kscreenlocker upgrade to Plasma 5.5.5 (after 1 March 2016) or apply the following patch:
http://commits.kde.org/kscreenlocker/fae65f1cdd6446042b31ccd0eafd7a4c0b6623e3

References
==========

https://bugs.kde.org/show_bug.cgi?id=358125
https://bugzilla.opensuse.org/show_bug.cgi?id=964548

Credits
=======

Thanks to Dirk Weber for finding the issue, the openSUSE community for helping investigating and Martin Gräßlin for fixing the issue.
Comment 1 Michael Palimaka (kensington) gentoo-dev 2016-02-09 16:30:28 UTC
All versions in the tree are fixed.
Comment 2 Kristian Fiskerstrand gentoo-dev 2016-02-09 22:43:14 UTC
(In reply to Michael Palimaka (kensington) from comment #1)
> All versions in the tree are fixed.

Thanks :)

No stable version, setting noglsa. 

CVE request at http://www.openwall.com/lists/oss-security/2016/02/09/4 . Bug can be closed once that is added