Shulou(Shulou.com)06/01 Report--

How to solve the problem that the Linux desktop is broken at will, I believe that many inexperienced people are at a loss about it. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

The Linux Mint project has recently fixed a security vulnerability that could allow threatening participants to bypass the operating system's screen saver and its password and access locked desktops.

The vulnerability was originally identified by a user nicknamed robo2bobo in Linux Mint's bug report. Robo2bobo, whose desktop system is Cinnamon, said that a random click on the keyboard and screen by his two children with no technical background caused the Linux Mint screensaver to crash, thus easily bypassing the security password and entering the locked Linux desktop.

And he also repeated it to prove that it was not an accident. "I thought it was a unique event, but they did it successfully for the second time." As soon as the bug was proposed, it aroused the same feeling of many users; they reported that they had encountered the same problem, and the desktop system they used was also Cinnamon. It is reported that desktop systems above Cinnamon 4.2 will be affected by this bug.

In response, Clement Lefebvre, the chief developer of Linux Mint, said the problem was eventually traced to libcaribou, the on-screen OSK component that comes with Cinnamon, the desktop interface used by Linux Mint. Specifically, this bug appears when the user presses the button on the on-screen keyboard.

In most cases, this bug should cause the Cinnamon desktop process to crash; but if you open the soft keyboard under the screensaver, the bug will cause the screensaver to crash, allowing users to access the underlying desktop. Lefebvre said the vulnerability was introduced when Linux Mint OS patched another vulnerability, called CVE-2020-25712, in October last year. Currently, Linux Mint has released a new patch for this vulnerability.

However, this is not the end of the matter. JWZ, a famous programmer, published an article entitled "I told you so, 2021 edition" in response to the incident, complaining that he had warned the authorities 17 years ago. "if you don't run XScreenSaver on Linux, then your screen is not locked."

JWZ pointed out that he encountered this kind of bug; every few years, but every time he reported the problem, Linux Mint replied that "it has been fixed." He recorded four related security vulnerabilities, as follows:

CVE-2019-3010, which can be upgraded with special permissions from the Oracle Solaris screen saver

CVE-2014-1949, MDVSA-2015:162: press the menu key in the Cinnamon screen saver, and then press the ESC key to enter shell

Press and hold the down arrow to unlock the Cinnamon screen saver

Press and hold the enter key to unlock GNOME screen saver.

According to JWZ, there are several reasons for this bug:

One is that writing security-critical code is difficult and most people can't do it.

Second, locking and authentication is an operating system-level problem. X11 is the core of the Linux desktop computer operating system, but its design does not have any security to speak of, so the locking program must run as a normal, unauthorized, user-level application. In this way, the problem is more difficult to solve.

There is also a serious problem with the X11 architecture that cannot be repaired. "X11 is too old, too rigid, and too many stakeholders are stuck in the quagmire to make any meaningful changes to it. That's why people have been trying to replace X11 but failed because it's so ingrained."

At the end of the article, JWZ also said that he was eager to know how the authorities would solve the problem.

Then, some netizens posted the link to JWZ's article under Linux Mint's bug report, and Aite related officials, which attracted a reply from Lefebvre. In response, Lefebvre said bluntly that JWZ's blog post was painful, unconstructive and contained some nonsense; although he raised the question, he did not give any solution.

At the same time, Lefebvre refuted JWZ's criticism one by one. And shouted that I hope JWZ will not be a person who only knows how to get high. After all, anyone can say beautiful things. Instead of doing this, it is better for the two sides to work together to build the safest path; join in code audit and functional development to be a problem solver.

After reading the above, have you mastered how to solve the problem that the Linux desktop has been compromised at will? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.