[SRU] caribou: Segfault (as regression of xorg CVE-2020-25712 fix) cause security issue for cinnamon

The main patch has been merged upstream in caribou, but build fails.

https://gitlab.com/linuxmint/pins/mint/caribou/-/commit/72fd18b747aea7bb9cf134dc62f2a85b2b4698dc - a new patch is needed too (it will in the debdiffs for Focal and Groovy be in the same patch) so hopefully that'll get merged and hopefully soon a release.

0.4.21-7.1 fix it and is now in Hirsute (sync from debian)

Status changed to 'Confirmed' because the bug affects multiple users.

About Focal patch build tested(https://launchpad.net/~fantonifabio/+archive/ubuntu/ubuntu-fixes/) and also installed and tested the packages (unable to reproduce the issue with new patch applied).
On Groovy should work with the same patch (only changing focal->groovy) but I not tested it.

Awesome. I guess we could patch but I think it may be more necessary since the versions in Focal and Groovy of caribou are the same to just backport.

I also need to do some testing

I changed title and description trying to follow https://wiki.ubuntu.com/StableReleaseUpdates#SRU_Bug_Template as requested

about Groovy I don't have time to test it today as I should create also a Groovy vm (even if should be ok with the same focal patch only changing focal->groovy)
@Joshua Peisach: can you do a test for Groovy and test it (if you can/want) please?

I'll test Groovy I guess.. I just think that instead of a patch it may be better to just backport the new upstream debian version to both focal/groovy

@Joshua Peisach: On ubuntu version released the only way to update is SRU: https://wiki.ubuntu.com/StableReleaseUpdates
Do a backport (for example for focal in focal-backports) will require that user enable backports (if not) and install it; user that don't know and do it will not have the fix.
The patch have same changes to code and only changelog changes, version of the caribou patched is also the same and there should be without risk, anyway I tested build in focal installed and checked that issue is not reproducible anymore (and no regression is showed); a fast test in groovy it would still be better although it is very unlikely that there are differences on result.

Coolio. I'll setup a groovy patch and get it testing then I'll try and hook up a sponsor for us. :)

The minimal fix should be published as a security update. Once a groovy debdiff is available too, ping someone on the security team and we'll get it built and published. Thanks!

The security fix is the third patch, first is needed to fix build (or it fails), the second is another fix, I don't have time now to done another build without it and test if work correctly and usable also with the fix of second patch as it is related to the part.

Fantu: The upstream patch fixes have been put in upstream and a few vala version changes were made.. I suggest checking https://gitlab.gnome.org/GNOME/caribou/-/commit/11da0e0b21867921ba2f6d2af45af16a7db1ab92 and seeing if the debian patch is the same, ensure the patch is the same and includes this commit.

You can also assign yourself for Hirsute

Note to self during testing: Pay attention to libcaribou-gtk-module, dpkg-shlibdeps warning:

dh_shlibdeps -- -xlibgtk2.0-0
dpkg-shlibdeps: warning: debian/libcaribou-gtk-module/usr/lib/x86_64-linux-gnu/gtk-2.0/modules/libcaribou-gtk-module.so contains an unresolvable reference to symbol g_module_make_resident: it's probably a plugin
dpkg-shlibdeps: warning: debian/libcaribou-gtk3-module/usr/lib/x86_64-linux-gnu/gtk-3.0/modules/libcaribou-gtk-module.so contains an unresolvable reference to symbol g_module_make_resident: it's probably a plugin

the newer upstream changes you linked is bigger, for security update only small build fix of first patch absolutely necessary I suppose ubuntu security team would consider (along with the third patch with security fix).
however it would be good to have a certain answer before continuing to invest time and see days go by. also probably before the weekend I will not have time to test new builds (for groovy I also have to create a new vm, I have no system or vm with it at the moment)
and from what I understand for now they will not consider fixes for focal if there isn't be also fixes for all later supported versions
I would also like to go without fail with the next patches and tests (and waste time), I would like to spend as much time as possible to do more tests and possible fixes to the packages that I help to maintan in debian before the bullseye freeze in the free time of the next days

Fixed groovy patch so it doesn't include extra junk

The focal debdiff has an extra commit that the groovy debdiff does't have, and it doesn't look like that commit is in the upstream repo:

From 85ac8f9e210243d95163cf8b1013470a6d9c7eaa Mon Sep 17 00:00:00 2001
From: Clement Lefebvre <email address hidden>
Date: Tue, 12 Jan 2021 17:30:25 +0000
Subject: [PATCH 2/4] Fix subkey popmenu not showing after being dismissed

Could someone please investigate if that commit is needed or not, and adjust the focal and/or groovy debdiffs as appropriate.

Thanks!

The MR with the second patch is still not merged upstream.
I tested on focal build without it (Fix subkey popmenu not showing after being dismissed) (https://launchpad.net/~fantonifabio/+archive/ubuntu/ubuntu-fixes) and the crash is not reproducible, so if you want you can at least apply the security fix and the build fix without the second patch with that additional fix is tested.
but without that additional fix you can select one of the characters of the sub-menu of the letter 'e' at most once then there is no longer the possibility of making it appear, and this does not seem good to me; in that case I would recommend making an additional sru with that other later (if you exclude it from the build security fix)

Final Groovy Patch

(Yes the other commit is needed)

It appears that the Focal package has three separate patches for three different issues:

- vala compilation
- showing an 'e' submenu
- undoing xf86 workaround, necessary after an xorg update

and it appears that the Groovy package has these three same fixes but all squashed into one patch. Is this intentional? Normally it's better to keep separate fixes separate, so they can be more easily enabled/removed, or backed out when it's found they're not necessary years later.

Thanks

I guess I can separate it. I'm sorry for being slow about this, doing other stuff at the same time. :P

Final groovy patch :)

unsubscribing the regular sponsors since security-sponsoring is the right team to handle this one

Thanks, I'm taking a look at these. I've adjusted the versions to imclude per-release versions, since focal and groovy had the same version of caribou.

Hi Fabio and Joshua, thanks for preparing these updates. I have reviewed them, adjusted the changelogs slightly, and have uploaded packages to the ubuntu-security-proposed ppa https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages to make them available for testing.

Any testing you can give these packages would be greatly appreciated. Thanks again!

Hi, have you had a chance to test the packages as requested in comment #31 yet? Thanks!

I have not. I'm bad

I just tested and I found even using the normal characters using the virtual keyboard like the euro sign crashes the screensaver. Yikes!

All done - Groovy patch does work.

How to reproduce bug pre-patch:
1) Lock screen
2) Navigate to advanced characters in virtual keyboard
3) Press the euro sign and cinnamon-screensaver crashes. In the screenshot I post you can see the clear Xorg error it posts.

After patch, no issues what so ever. Since this is easier than I thought to reproduce I'll spin up focal test too.

And focal verification done, same process/results

This bug was fixed in the package caribou - 0.4.21-7ubuntu0.20.04.1

---------------
caribou (0.4.21-7ubuntu0.20.04.1) focal-security; urgency=high

  * SECURITY UPDATE: Fix segfaults with recent versions of Xorg that
    causes cinnamon to crash (LP: #1912060)
  * Fix build with newer versions of valac

 -- Fabio Fantoni <email address hidden> Sat, 23 Jan 2021 11:30:08 +0100

This bug was fixed in the package caribou - 0.4.21-7ubuntu0.20.10.1

---------------
caribou (0.4.21-7ubuntu0.20.10.1) groovy-security; urgency=high

  * SECURITY UPDATE: Fix segfaults with recent versions of Xorg that
    causes cinnamon to crash (LP: #1912060)
  * Fix build with newer versions of valac

 -- Joshua Peisach <email address hidden> Mon, 22 Mar 2021 18:04:23 -0400