Bug Detected in Linux Mint Virtual Keyboard by TwoKids
The Linux Mint screensaver has been detected with a flaw, it was discovered by two children who were playing on their dad’s computer. The maintainers of the Linux Mint project have labeled this security bug as vulnerable for it could have allowed any threat actor to bypass the OS screensaver and its password, accessing the locked desktops.
Accessing the desktop in this way is as simple as via the virtual keyboard, the screensaver could be crashed, and the desktop would be unlocked.
“A few weeks ago, my kids wanted to hack my Linux desktop, so they typed and clicked everywhere while I was standing behind them looking at them play,” states the user whose kids have discovered the flaw in the screensaver. He further added that his kids crashed the Linux Mint screensaver by pressing random keys on both the physical and the on-screen keyboards and bypassed the lock. Their father initially thought that this was an accidental move, however, the kids managed to do the same, second time as well.
Clement Lefebvre the developer of the Linux Mint also said that this issue was eventually tracked down to libcaribou, the on-screen keyboard (OSK) component that ships with Cinnamon, the desktop interface used by Linux Mint. In this regard, he wrote, “we’ll most likely patch libcaribou here”.
The team mentioned that the vulnerability is generated when the user presses the “ē” key on the ‘on-screen’ keyboard, which eventually causes the system to crash. However, it is also observed that in most of the cases the bug generated crashes the Cinnamon desktop process if the virtual keyboard is left open for a long time, from the screensaver, this bug crashes the screensaver rather than the Cinnamon process. This in turn allows users to access the elemental desktop.
Further, Lefebvre added “the bug was introduced in the Linux Mint OS when the project patched another vulnerability last October, tracked on the Xorg update as CVE-2020-25712” while the bug affects all the other distributions running Cinnamon 4.2 + and any other software that uses libcaribou.
Later on 13th January 2021, a patch was released for this vulnerability that addresses the bug and prevents future crashes.