You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Cinnamon temporarily shows the desktop and allows interacting with it when the screen is resized.
This was tested using NoMachine: https://www.nomachine.com/ which effectively plugs into the real display that outputs to the HDMI port, unlike other remote desktop solutions that create virtual displays etc
In such a situation, a malicious user could potentially kill the cinnamon-screensaver process giving them full access to the desktop without knowing the password.
Steps to reproduce
Lock display
Resize desktop by enabling remote resizing in NoMachine and then maximizing or resizing the NoMachine window
Desktop with all your open apps and information is visible for a few miliseconds. At this point, you can see everything that was on the desktop, and keystrokes are being passed to programs
Desktop is locked again shortly after
Expected behavior
Instead of the desktop being revealed temporarily during screen resizing, the lockscreen should remain in place and block any access to the desktop.
Alternatively, it could be implemented as a black screen that captures all input while the locker restarts after the resizing operation finishes.
My (un?)educated guess of what's happening here is the actual cinnamon-screensaver process is crashing, and a helper process is immediately spawning a new process upon detecting this crash, because this helper process knows the system was supposed to be locked.
My suggestion is that this helper process should additionally draw a blank screen completely blocking the desktop right behind the lockscreen, in case the lockscreen ever crashes.
algorithmwolf
changed the title
Lockscreen bypass when resizing screen
Security: Lockscreen bypass when resizing screen
Sep 3, 2024
Distribution
Mint 22
Package version
6.2.0
Graphics hardware in use
Radeon 680M
Frequency
Always
Bug description
Cinnamon temporarily shows the desktop and allows interacting with it when the screen is resized.
This was tested using NoMachine: https://www.nomachine.com/ which effectively plugs into the real display that outputs to the HDMI port, unlike other remote desktop solutions that create virtual displays etc
In such a situation, a malicious user could potentially kill the cinnamon-screensaver process giving them full access to the desktop without knowing the password.
Steps to reproduce
Expected behavior
Instead of the desktop being revealed temporarily during screen resizing, the lockscreen should remain in place and block any access to the desktop.
Alternatively, it could be implemented as a black screen that captures all input while the locker restarts after the resizing operation finishes.
Additional information
I recorded this behaviour in a video:
https://github.com/user-attachments/assets/87f195aa-6f96-4798-8a9f-67c278560ddd
The cinnamon-screensaver logs:
cinnamon-screensaver.log
The text was updated successfully, but these errors were encountered: