GNOME Bugzilla – Bug 648234
CVE-2011-1596 gnome-screensaver: Switching users does not lock the screen for the original user (user prior the switch)
Last modified: 2011-04-26 17:23:36 UTC
Overview: The following deficiency has been reported to Red Hat Bugzilla: [1] https://bugzilla.redhat.com/show_bug.cgi?id=697199 Upon switching the original user to the new user (use "Switch User", login as new user) and logout from the new user account the desktop is returned to the original user without prompting for a password. Steps to Reproduce (from [1]): 1. user1: Choose "switch user", login as user2. 2. user2: Choose "logout" Actual Results (from [1]): The desktop is returned to user1's desktop without being prompted for a password. Switch user then use ctrl+alt+fN to switch back to the original user. The screensaver is not activated. Expected result: Upon switch the original user1 is prompted again for password prior accessing their desktop. Additional Information: Reported against gnome-desktop3-3.0.0-1.fc15 (upstream v3.0.0 based) version on x86_64 architecture for Fedora 15. But not sure, if this being architecture dependant. https://bugzilla.redhat.com/show_bug.cgi?id=697199
Where do you click "switch user"?
The CVE identifier of CVE-2011-1596 has been assigned to this issue.
(In reply to comment #1) > Where do you click "switch user"? Hello Vincent, thank you for looking into this. Will find out the information you requested from the issue original reporter. Jan.
Just to clarify why I asked: gnome-desktop itself has nothing to do with this feature, so the CVE is not assigned to the right module. It could be an issue in gnome-shell, gnome-session, gnome-panel, or something else.
The problem is with gnome-screensaver. Enclosing patch should resolve the issue, though i need to check if this is the only issue here
Created attachment 186643 [details] [review] gnome-screensaver patch
Err, if the user click on "Switch user" in the screensaver dialog, then the screen is already locked for the original user, isn't it?
Created attachment 186644 [details] Backtrace provided by the reporter
Hi Vincent, My patch is only based on the backtrace :)
so you're saying the screen "unlocks" because gnome-screensaver is crashing because error is NULL and the g_debug line dereferences it?
This code is in gnome-screensaver-dialog, so I don't think the screen gets unlocked if it crashes. Or if that's the case, then something is really wrong :-)
okay, diving in and going back to the original report it sounds like the original reporter can't reproduce the "screen gets unlocked" part either: "Note: although gnome-screensaver crashes, I cannot reproduce the "screen left unlocked" part."
Comment on attachment 186643 [details] [review] gnome-screensaver patch commit 338b86c4f0c2cdc4241dbf5cda913f0184afc105 Author: Huzaifa Sidhpurwala <huzaifas@redhat.com> Date: Tue Apr 26 13:15:56 2011 -0400 dialog: Fix crash in user switcher code The user switch button currently causes the lock dialog to crash because of an inverted conditional in the error checking code. This commit addresses the crash by performing the proper check in the conditional.
I'm going to go ahead and close this one out. If you come up with new details involving the screensaver daemon crashing or otherwise unlocking then let's take that up in a new report. Thanks for the patch.