Debian Bug report logs -
#449108
CVE-2007-3920: bypass password authentication
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#449108; Package compiz.
(full text, mbox, link).
Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian X Strike Force <debian-x@lists.debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: compiz
Severity: grave
Tags: security
Justification: user security hole
Hi
The following CVE[0] has been issued for gnome-screensaver and compiz.
gnome-screensaver is already fixed, but compiz also seems to be
affected.
Here is the text
CVE-2007-3920:
GNOME screensaver 2.20 in Ubuntu 7.10, when used with Compiz, does not
properly reserve input focus, which allows attackers with physical
access to take control of the session after entering an Alt-Tab
sequence, a related issue to CVE-2007-3069.
Please mention the CVE number in your changelog, if you fix this issue
by an upload.
Please also consider the patch below. It is fetched from the ubuntu
security update.
Cheers
Steffen
[0]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3920
diff -u compiz-0.5.2/debian/changelog compiz-0.5.2/debian/changelog
--- compiz-0.5.2/debian/changelog
+++ compiz-0.5.2/debian/changelog
@@ -1,3 +1,12 @@
+compiz (0.5.2-2.1) unstable; urgency=high
+
+ * Non-maintainer upload by the testing-security team
+ * Make sure that gnome-screensaver never gets unredirected to avoid
+ that it loses its keyboard grab Fixes: CVE-2007-3920
+ Thanks to Michael Voigt and Ubuntu
+
+ -- Steffen Joeris <white@debian.org> Sat, 03 Nov 2007 00:33:48 +0000
+
compiz (0.5.2-2) unstable; urgency=low
* oops, shipping copies of a few .h and .pc files in both compiz-dev
diff -u compiz-0.5.2/debian/patches/series compiz-0.5.2/debian/patches/series
--- compiz-0.5.2/debian/patches/series
+++ compiz-0.5.2/debian/patches/series
@@ -3,0 +4 @@
+016_CVE-2007-3920.patch
only in patch4:
unchanged:
--- compiz-0.5.2.orig/debian/patches/016_CVE-2007-3920.patch
+++ compiz-0.5.2/debian/patches/016_CVE-2007-3920.patch
@@ -0,0 +1,13 @@
+--- paint.c.orig 2007-11-03 00:31:52.000000000 +0000
++++ compiz-0.5.2/src/paint.c 2007-11-03 00:32:39.000000000 +0000
+@@ -211,7 +211,9 @@
+ if (count == 0 &&
+ !REGION_NOT_EMPTY (tmpRegion) &&
+ screen->opt[COMP_SCREEN_OPTION_UNREDIRECT_FS].value.b &&
+- XEqualRegion (w->region, &screen->region))
++ XEqualRegion (w->region, &screen->region) &&
++ !(w->resName && strcmp(w->resName, "gnome-screensaver") == 0)
++ )
+ {
+ unredirectWindow (w);
+ fullscreenWindow = w;
Information forwarded to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#449108; Package compiz.
(full text, mbox, link).
Acknowledgement sent to Lubomir Kundrak <lkundrak@redhat.com>:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>.
(full text, mbox, link).
Message #10 received at 449108@bugs.debian.org (full text, mbox, reply):
Please note that Red Hat believes that the attached patch is not
completly correct. See the Red Hat bugzilla entry for justification and
another patch:
https://bugzilla.redhat.com/show_bug.cgi?id=350271
--
Lubomir Kundrak (Red Hat Security Response Team)
Information forwarded to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#449108; Package compiz.
(full text, mbox, link).
Acknowledgement sent to Lubomir Kundrak <lkundrak@redhat.com>:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>.
(full text, mbox, link).
Message #15 received at 449108@bugs.debian.org (full text, mbox, reply):
Whoops, I am terribly sorry for the noise. In fact I did not notice that
this is a different patch from proposed upstream one and is likely to be
correct.
--
Lubomir Kundrak (Red Hat Security Response Team)
Tags added: patch
Request was from "brian m. carlson" <sandals@crustytoothpaste.ath.cx>
to control@bugs.debian.org.
(Fri, 23 Nov 2007 18:39:05 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#449108; Package compiz.
(full text, mbox, link).
Acknowledgement sent to sean finney <seanius@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>.
(full text, mbox, link).
Message #24 received at 449108@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
hi there,
Some time ago, CVE-2007-3920 was reported as a vulnerability on compiz, but I
have yet to see any comment from the compiz/compiz-fusion folks about it.
I've submitted a bug to the opencompositing bugzilla database, but it's been
over a week without any comment:
http://bugs.opencompositing.org/show_bug.cgi?id=668
looking at the recent lack of activity in the bts i wonder if maybe i've
reported this issue to the wrong place? or maybe it's just all this
objectframework stuff is taking up the dev team's time?
in any event the bug report has a pretty concise summary and i'd appreciate
some official comment on the compiz/compiz-fusion opinion of the bug .
thanks!
(please continue to cc me and the debian bug address i've cc'd, as neither of
us are subscribed to the list :)
sean
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#449108; Package compiz.
(full text, mbox, link).
Acknowledgement sent to Brice Goglin <Brice.Goglin@ens-lyon.org>:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>.
(full text, mbox, link).
Message #29 received at 449108@bugs.debian.org (full text, mbox, reply):
reassign 449108 xserver-xorg-core
tags 449108 +pending
thank you
As discussed on IRC, this should be fixed by xserver commit
http://cgit.freedesktop.org/xorg/xserver/commit/?id=a6a7fadbb03ee99312dfb15ac478ab3c414c1c0b
I just applied the patch to xorg-server, I am reassigning and tagging
the bug accordingly.
Brice
Bug reassigned from package `compiz' to `xserver-xorg-core'.
Request was from Brice Goglin <Brice.Goglin@ens-lyon.org>
to control@bugs.debian.org.
(Thu, 17 Jan 2008 19:42:10 GMT) (full text, mbox, link).
Tags added: pending
Request was from Brice Goglin <Brice.Goglin@ens-lyon.org>
to control@bugs.debian.org.
(Thu, 17 Jan 2008 19:42:10 GMT) (full text, mbox, link).
Reply sent to Brice Goglin <bgoglin@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #38 received at 449108-close@bugs.debian.org (full text, mbox, reply):
Source: xorg-server
Source-Version: 2:1.4.1~git20080118-1
We believe that the bug you reported is fixed in the latest version of
xorg-server, which is due to be installed in the Debian FTP archive:
xnest_1.4.1~git20080118-1_i386.deb
to pool/main/x/xorg-server/xnest_1.4.1~git20080118-1_i386.deb
xorg-server_1.4.1~git20080118-1.diff.gz
to pool/main/x/xorg-server/xorg-server_1.4.1~git20080118-1.diff.gz
xorg-server_1.4.1~git20080118-1.dsc
to pool/main/x/xorg-server/xorg-server_1.4.1~git20080118-1.dsc
xorg-server_1.4.1~git20080118.orig.tar.gz
to pool/main/x/xorg-server/xorg-server_1.4.1~git20080118.orig.tar.gz
xserver-xephyr_1.4.1~git20080118-1_i386.deb
to pool/main/x/xorg-server/xserver-xephyr_1.4.1~git20080118-1_i386.deb
xserver-xorg-core-dbg_1.4.1~git20080118-1_i386.deb
to pool/main/x/xorg-server/xserver-xorg-core-dbg_1.4.1~git20080118-1_i386.deb
xserver-xorg-core_1.4.1~git20080118-1_i386.deb
to pool/main/x/xorg-server/xserver-xorg-core_1.4.1~git20080118-1_i386.deb
xserver-xorg-dev_1.4.1~git20080118-1_i386.deb
to pool/main/x/xorg-server/xserver-xorg-dev_1.4.1~git20080118-1_i386.deb
xvfb_1.4.1~git20080118-1_i386.deb
to pool/main/x/xorg-server/xvfb_1.4.1~git20080118-1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 449108@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Brice Goglin <bgoglin@debian.org> (supplier of updated xorg-server package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 18 Jan 2008 22:20:32 +0100
Source: xorg-server
Binary: xserver-xephyr xserver-xorg-core xvfb xserver-xorg-dev xserver-xorg-core-dbg xnest
Architecture: source i386
Version: 2:1.4.1~git20080118-1
Distribution: unstable
Urgency: low
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Changed-By: Brice Goglin <bgoglin@debian.org>
Description:
xnest - Nested X server
xserver-xephyr - nested X server
xserver-xorg-core - Xorg X server - core server
xserver-xorg-core-dbg - Xorg - the X.Org X server (debugging symbols)
xserver-xorg-dev - Xorg X server - development files
xvfb - Virtual Framebuffer 'fake' X server
Closes: 449108 461410
Changes:
xorg-server (2:1.4.1~git20080118-1) unstable; urgency=low
.
[ Brice Goglin ]
* Add 42_dont_break_grab_and_focus_for_window_when_redirecting.diff
to prevent password authentication bypass, closes: #449108.
.
[ Julien Cristau ]
* New upstream snapshot
+ includes the security fixes from the previous version
+ fixes regression introduced by the fix for CVE-2007-6429 in the MIT-SHM
extension (closes: #461410)
Files:
24dfd4eac7f6df7fbc6307674d1f9bd8 2488 x11 optional xorg-server_1.4.1~git20080118-1.dsc
572101aa38dabcd69349e6213ee02f50 8253335 x11 optional xorg-server_1.4.1~git20080118.orig.tar.gz
fd50e5a8dd2590dcf2cd39625fbada04 667590 x11 optional xorg-server_1.4.1~git20080118-1.diff.gz
65683fe75d388f3273808212db7d06b3 4053256 x11 optional xserver-xorg-core_1.4.1~git20080118-1_i386.deb
cb14d10cc75406578b713b888518ff1a 681882 x11 optional xserver-xorg-dev_1.4.1~git20080118-1_i386.deb
213bccc8e7a919bf4fb2516ec1b2fcdc 1749182 x11 optional xnest_1.4.1~git20080118-1_i386.deb
b8c2433fa6429148b094c33cd6bc3f5b 1860152 x11 optional xvfb_1.4.1~git20080118-1_i386.deb
6c88940dd25a5bc95e67b973228f0c88 1897470 x11 optional xserver-xephyr_1.4.1~git20080118-1_i386.deb
368af74b934278587b7ea2df4f363552 12570776 x11 extra xserver-xorg-core-dbg_1.4.1~git20080118-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHkSHBRh88F8PcWfoRAocCAKCn4y9XQ1cJnPJuLSqkgiI0NUPbVACfTpsB
zTNquSmyeZquSZOQTDwJB8Y=
=vf67
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 06 May 2008 07:30:33 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:05:05 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon