[Secure-testing-team] Bug#539699: xscreensaver: unlocked because killed, infinite loop with small screen

David Fries david at fries.net
Mon Aug 3 02:18:03 UTC 2009 

Package: xscreensaver
Version: 5.05-3
Severity: grave
Tags: security patch
Justification: user security hole


Reproduce by setting a narrow X resolution, in this case I was running
Xnest at 410x384, type something to get the password dialog, but it
never comes up.  xscreensaver goes into an infinite loop eating
memory, and the one time I let it run, the Linux kernel out of memory
detector killed xscreensaver unlocking the X server.  That's why I
marked this with the security tags.

Do any hardware and X software automatically pick up and use newly
plugged in displays?  If so, it might be exploited by, plugging in a
custom display device with a small screen, and use this exploit to
kill the screen saver get access to the system, then restart the
xscreensaver to make detection more difficult.

The problem is when mlstring_wrap detects a space will copy the
whitespace on to a new line and then truncate the original string for
the current line.  If in the next iteration the line is still too
long, and the current whitespace character is the first one
encountered it is in an infinite loop finding the same whitespace
character.

In my case line_length is 5, and the string is
"Please enter your password."

This patch will leave the whitespace in the previous line so it can't
be found the next iteration.  It will also make the previous line too
wide, but only the whitespace would be over the border.

On a site note it might be a good idea to always put the logo on the
right side, or put it on the right side when the width is too small.
With the patch at 410 pixels wide the logo takes up almost all of the
screen and the text is just visible at the right side.

diff --git a/driver/mlstring.c b/driver/mlstring.c
index d6df844..a850890 100644
--- a/driver/mlstring.c
+++ b/driver/mlstring.c
@@ -153,6 +153,8 @@ mlstring_wrap(mlstring *mstring, XFontStruct *font, Dimension width)
 	  
 	  if (wrap_at == -1) /* No space found, hard wrap */
 	    wrap_at = line_length;
+	  else
+	    wrap_at++; /* Leave the space at the end of the line. */
 
 	  newml = calloc(1, sizeof(*newml));
 	  if (!newml) /* OOM, don't bother trying to wrap */


-- System Information:
Debian Release: 5.0.2
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i586)

Kernel: Linux 2.6.29-rc3
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages xscreensaver depends on:
ii  libatk1.0-0             1.22.0-1         The ATK accessibility toolkit
ii  libc6                   2.7-18           GNU C Library: Shared libraries
ii  libcairo2               1.6.4-7          The Cairo 2D vector graphics libra
ii  libglade2-0             1:2.6.2-1        library to load .glade files at ru
ii  libglib2.0-0            2.16.6-2         The GLib library of C routines
ii  libgtk2.0-0             2.12.12-1~lenny1 The GTK+ graphical user interface 
ii  libice6                 2:1.0.4-1        X11 Inter-Client Exchange library
ii  libpam0g                1.0.1-5+lenny1   Pluggable Authentication Modules l
ii  libpango1.0-0           1.20.5-5         Layout and rendering of internatio
ii  libsm6                  2:1.0.3-2        X11 Session Management library
ii  libx11-6                2:1.1.5-2        X11 client-side library
ii  libxext6                2:1.0.4-1        X11 miscellaneous extension librar
ii  libxinerama1            2:1.0.3-2        X11 Xinerama extension library
ii  libxml2                 2.6.32.dfsg-5    GNOME XML library
ii  libxmu6                 2:1.0.4-1        X11 miscellaneous utility library
ii  libxpm4                 1:3.5.7-1        X11 pixmap library
ii  libxrandr2              2:1.2.3-1        X11 RandR extension library
ii  libxrender1             1:0.9.4-2        X Rendering Extension client libra
ii  libxt6                  1:1.0.5-3        X11 toolkit intrinsics library
ii  libxxf86misc1           1:1.0.1-3        X11 XFree86 miscellaneous extensio
ii  libxxf86vm1             1:1.0.2-1        X11 XFree86 video mode extension l
ii  xscreensaver-data       5.05-3           data files to be shared among scre

Versions of packages xscreensaver recommends:
ii  libjpeg-progs                 6b-14      Programs for manipulating JPEG fil
ii  perl [perl5]                  5.10.0-19  Larry Wall's Practical Extraction 
ii  wamerican [wordlist]          6-2.3      American English dictionary words 
pn  xli | xloadimage              <none>     (no description available)

Versions of packages xscreensaver suggests:
ii  fortune-mod [fortune]   1:1.99.1-3.1     provides fortune cookies on demand
ii  iceape-browser [www-bro 1.1.14-1         Iceape Navigator (Internet browser
ii  iceweasel [www-browser] 3.0.6-1          lightweight web browser based on M
ii  konqueror [www-browser] 4:3.5.9.dfsg.1-6 KDE's advanced file manager, web b
ii  lynx-cur [www-browser]  2.8.7dev9-2.1    Text-mode WWW Browser with NLS sup
ii  streamer                3.95.dfsg.1-8    television capture tool (images/mo
pn  xdaliclock              <none>           (no description available)
pn  xfishtank               <none>           (no description available)
pn  xscreensaver-gl         <none>           (no description available)

-- no debconf information

More information about the Secure-testing-team mailing list