CVE-2007-5585 authentication bypass

Debian Bug report logs - #448157
CVE-2007-5585 authentication bypass

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: submit@bugs.debian.org

Subject: CVE-2007-5585 authentication bypass

Date: Fri, 26 Oct 2007 15:11:11 +0200

[Message part 1 (text/plain, inline)]

Package: rss-glx
Severity: grave
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for rss-glx.

CVE-2007-5585[0]:
| xscreensaver 5.03 and earlier, when running without
| xscreensaver-gl-extras (GL extras) installed, crashes when
| /usr/bin/xscreensaver-gl-helper does not exist and a user attempts to
| unlock the screen, which allows attackers with physical access to gain
| access to the locked session.

If you fix this vulnerability please also include the CVE id
in your changelog entry.

So I think rss-glx should depend on xscreensaver-gl. I can't 
reproduce xscreensaver crashing, however it will exit if the 
xscreensaver-gl-helper program is missing.

For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5585

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #12 received at 448157@bugs.debian.org (full text, mbox, reply):

From: Jose Luis Rivas Contreras <ghostbar38@gmail.com>

To: 448157@bugs.debian.org, control@bugs.debian.org, 448157-submitter@bugs.debian.org

Subject: CVE-2007-5585 authentication bypass

Date: Sat, 27 Oct 2007 11:30:53 -0400

[Message part 1 (text/plain, inline)]

reassign 448157 rss-glx
thanks

Hi,

There's no such `xscreensaver-gl-extras' package, xscreensaver-gl-helper
is installed with `xscreensaver-gl' so `rss-glx' should really suggests
xscreensaver-gl instead of xscreensaver.

ghostbar@hyperion:~$ dpkg -S /usr/bin/xscreensaver-gl-helper
xscreensaver-gl: /usr/bin/xscreensaver-gl-helper.

`xscreensaver' cannot depend on `xscreensaver-gl' because is not needed
and `xscreensaver-gl-helper' neither. The only workaround I can figure
out right now is the maintainer of `rss-glx' making that if xscreensaver
is installed then depends on `xscreensaver-gl'. I don't know if there's
already a field that makes this in `debian/control' (I didn't found
anything)...

So that's why I'm reassigning this bug to `rss-glx' (again), because is
not really a bug in xscreensaver. Besides, I don't know why does need to
run xscreensaver-gl-helper when unlocking, it should run it when locking
the screen, there's no need to run it in "unlocking-time".

Regards,
Jose Luis.
-- 

ghostbar on debian linux 'sid' 2.6.22 x86_64-SMP - #382503
Weblog: http://ghostbar.ath.cx/ - http://linuxtachira.org
http://debian.org.ve - irc.debian.org #debian-ve #debian-devel-es
San Cristóbal, Venezuela. http://chaslug.org.ve GPG: 0xCACAB118

[signature.asc (application/pgp-signature, attachment)]

Message #22 received at 448157@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: Jose Luis Rivas Contreras <ghostbar38@gmail.com>, 448157@bugs.debian.org

Cc: 448157-submitter@bugs.debian.org

Subject: Re: Bug#448157: CVE-2007-5585 authentication bypass

Date: Sat, 27 Oct 2007 18:00:24 +0200

[Message part 1 (text/plain, inline)]

Hi Jose,
* Jose Luis Rivas Contreras <ghostbar38@gmail.com> [2007-10-27 17:40]:
> There's no such `xscreensaver-gl-extras' package, xscreensaver-gl-helper
> is installed with `xscreensaver-gl' so `rss-glx' should really suggests
> xscreensaver-gl instead of xscreensaver.

Yes but this would only workaround the problem. That is why 
I reassigned this bug to xscreensaver. Ari is currently 
preparing a package with a change dependency but we decided 
that this is more an xscreensaver issue because xscreensaver 
could just stay blank and print a message for example 
instead of exiting.

[...] 
> So that's why I'm reassigning this bug to `rss-glx' (again), because is
> not really a bug in xscreensaver. Besides, I don't know why does need to
> run xscreensaver-gl-helper when unlocking, it should run it when locking
> the screen, there's no need to run it in "unlocking-time".

Considering what I wrote above, do you agree to reassign 
this to xscreensaver? Ari, maybe you can also state what you 
think.
Kind regards
NIco
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #30 received at 448157@bugs.debian.org (full text, mbox, reply):

From: Jose Luis Rivas Contreras <ghostbar38@gmail.com>

To: 448157@bugs.debian.org, 448157-submitter@bugs.debian.org

Subject: Re: Bug#448157: CVE-2007-5585 authentication bypass

Date: Sat, 27 Oct 2007 12:29:54 -0400

[Message part 1 (text/plain, inline)]

Nico Golde wrote:
> Hi Jose,
> * Jose Luis Rivas Contreras <ghostbar38@gmail.com> [2007-10-27 17:40]:
>> There's no such `xscreensaver-gl-extras' package, xscreensaver-gl-helper
>> is installed with `xscreensaver-gl' so `rss-glx' should really suggests
>> xscreensaver-gl instead of xscreensaver.
> 
> Yes but this would only workaround the problem. That is why 
> I reassigned this bug to xscreensaver. Ari is currently 
> preparing a package with a change dependency but we decided 
> that this is more an xscreensaver issue because xscreensaver 
> could just stay blank and print a message for example 
> instead of exiting.

Oh! I thougth you wrote that remained locked the screen. Well, really
rss-glx should _not_ use gl-helper for unlocking and don't know how
exactly reproduce it in an environment correctly configured. (I mean
with xscreensaver-gl installed) Why is xscreensaver-gl needed? Well
it've the binaries needed by xscreensaver to run any gl hack.
> 
> [...] 
>> So that's why I'm reassigning this bug to `rss-glx' (again), because is
>> not really a bug in xscreensaver. Besides, I don't know why does need to
>> run xscreensaver-gl-helper when unlocking, it should run it when locking
>> the screen, there's no need to run it in "unlocking-time".
> 
> Considering what I wrote above, do you agree to reassign 
> this to xscreensaver? Ari, maybe you can also state what you 
> think.

Well, is not that's a xscreensaver bug as I already wrote above, rss-glx
does really needs xscreensaver-gl for working with xscreensaver.

So basicly rss-glx depending in xscreensaver-gl when is using
xscreensaver should fix this bug and not just be a workaround.

And is just not a workaround because I'm working right now in separating
the hacks of xscreensaver so there'll exists two more packages:
xscreensaver-hacks and xscreensaver-gl-hacks and made them availables to
apps like gnome-screensaver without installing the binaries so is gonna
be safe to install xscreensaver-gl without installing unnecesaries hacks.

So considering that this is not already done (spliting xscreensaver) and
there's already a wishlist about spliting the package and this bugs is
not exactly a xscreensaver bug this bug could be blocked by #410095 and
I don't think should be reassigned to xscreensaver.

Regards,
Jose Luis.
-- 

ghostbar on debian linux 'sid' 2.6.22 x86_64-SMP - #382503
Weblog: http://ghostbar.ath.cx/ - http://linuxtachira.org
http://debian.org.ve - irc.debian.org #debian-ve #debian-devel-es
San Cristóbal, Venezuela. http://chaslug.org.ve GPG: 0xCACAB118

[signature.asc (application/pgp-signature, attachment)]

Message #38 received at 448157@bugs.debian.org (full text, mbox, reply):

From: "Ari Pollak" <ari@debian.org>

To: "Jose Luis Rivas Contreras" <ghostbar38@gmail.com>, 448157@bugs.debian.org

Cc: 448157-submitter@bugs.debian.org

Subject: Re: Bug#448157: CVE-2007-5585 authentication bypass

Date: Sat, 27 Oct 2007 15:02:51 -0400 (EDT)

The point here is that xscreensaver should not unlock the screen when
missing xscreensaver-gl-helper, it should just display a blank
screensaver. rss-glx does not NEED to be run with xscreensaver-gl-helper
as it's perfectly feasible to run with gnome-screensaver, so rss-glx
shouldn't need to depend on xscreensaver-gl to prevent xscreensaver from
crashing.

Message #46 received at 448157@bugs.debian.org (full text, mbox, reply):

From: Jose Luis Rivas Contreras <ghostbar38@gmail.com>

To: 448157@bugs.debian.org

Cc: Ari Pollak <ari@debian.org>, 448157-submitter@bugs.debian.org, control@bugs.debian.org

Subject: Re: Bug#448157: CVE-2007-5585 authentication bypass

Date: Sat, 27 Oct 2007 21:15:49 -0400

[Message part 1 (text/plain, inline)]

reassign 448157 xscreensaver
quit

Ari Pollak wrote:
> The point here is that xscreensaver should not unlock the screen when
> missing xscreensaver-gl-helper, it should just display a blank
> screensaver. rss-glx does not NEED to be run with xscreensaver-gl-helper
> as it's perfectly feasible to run with gnome-screensaver, so rss-glx
> shouldn't need to depend on xscreensaver-gl to prevent xscreensaver from
> crashing.
> 
> 
Ok, that's a point, I'm reassigning the bug to xscreensaver then and
will figure out what's wrong when rss-glx is running.

Regards,
Jose Luis.
-- 

ghostbar on debian linux 'sid' 2.6.22 x86_64-SMP - #382503
Weblog: http://ghostbar.ath.cx/ - http://linuxtachira.org
http://debian.org.ve - irc.debian.org #debian-ve #debian-devel-es
San Cristóbal, Venezuela. http://chaslug.org.ve GPG: 0xCACAB118

[signature.asc (application/pgp-signature, attachment)]

Message #56 received at 448157-quiet@bugs.debian.org (full text, mbox, reply):

From: Jamie Zawinski <jwz@jwz.org>

To: Jose Luis Rivas Contreras <ghostbar38@gmail.com>, 448157-quiet@bugs.debian.org

Subject: Re: Bug#448157: CVE-2007-5585 authentication bypass

Date: Thu, 1 Nov 2007 13:31:25 -0700

[Message part 1 (text/plain, inline)]

I don't understand how xscreensaver-gl-helper not being installed  
could cause this sort of thing.  However, this does sound vaguely  
like another bug: can one of you who is able to reproduce the problem  
try this patch and let me know if it works?

Thanks...

[diff.txt (text/plain, attachment)]

Message #61 received at 448157@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: Jamie Zawinski <jwz@jwz.org>

Cc: 448157@bugs.debian.org

Subject: CVE-2007-5585 authentication bypass (FTBFS with patch)

Date: Tue, 6 Nov 2007 11:11:29 +1100

[Message part 1 (text/plain, inline)]

With this patch, xscreensaver fails to build:

lock.c: In function ‘update_passwd_window’:
lock.c:1082: error: ‘saver_screen_info’ has no member named ‘root_depth’
make[2]: *** [lock.o] Error 1
make[2]: Leaving directory 
`/home/white/white/debian/debs/security/xscreensaver/new/xscreensaver-5.03/driver'
make[1]: *** [default] Error 5
make[1]: Leaving directory 
`/home/white/white/debian/debs/security/xscreensaver/new/xscreensaver-5.03'
make: *** [build-stamp] Error 2
debuild: fatal error at line 1237:
debian/rules build failed

I am happy to try any other patch.

Cheers
Steffen

[signature.asc (application/pgp-signature, inline)]

Message #66 received at 448157@bugs.debian.org (full text, mbox, reply):

From: Jamie Zawinski <jwz@jwz.org>

To: Steffen Joeris <steffen.joeris@skolelinux.de>, 448157@bugs.debian.org

Subject: Re: Bug#448157: CVE-2007-5585 authentication bypass (FTBFS with patch)

Date: Mon, 5 Nov 2007 18:52:56 -0800

[Message part 1 (text/plain, inline)]

On Nov 5, 2007, at 4:11 PM, Steffen Joeris wrote:

> With this patch, xscreensaver fails to build:

Sorry, typo: pw->prompt_screen should have been pw->prompt_screen- 
>screen.  Revised patch:

[diff.txt (text/plain, attachment)]

Message #71 received at 448157@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: Jamie Zawinski <jwz@jwz.org>

Cc: 448157@bugs.debian.org

Subject: Re: Bug#448157: CVE-2007-5585 authentication bypass (FTBFS with patch)

Date: Tue, 6 Nov 2007 15:32:53 +1100

[Message part 1 (text/plain, inline)]

On Tue, 6 Nov 2007 01:52:56 pm Jamie Zawinski wrote:
> On Nov 5, 2007, at 4:11 PM, Steffen Joeris wrote:
> > With this patch, xscreensaver fails to build:
>
> Sorry, typo: pw->prompt_screen should have been pw->prompt_screen-
>
>  >screen.  Revised patch:
The patch works and the crash is gone.

I also attached an NMU proposal for this bug. I'll upload as soon as 
ftp-master is back online (please tell me, if you want to take of that by 
yourself).

Cheers
Steffen

[nmu.patch (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #76 received at 448157-close@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <white@debian.org>

To: 448157-close@bugs.debian.org

Subject: Bug#448157: fixed in xscreensaver 5.03-3.1

Date: Fri, 16 Nov 2007 04:17:04 +0000

Source: xscreensaver
Source-Version: 5.03-3.1

We believe that the bug you reported is fixed in the latest version of
xscreensaver, which is due to be installed in the Debian FTP archive:

xscreensaver-gl_5.03-3.1_amd64.deb
  to pool/main/x/xscreensaver/xscreensaver-gl_5.03-3.1_amd64.deb
xscreensaver_5.03-3.1.diff.gz
  to pool/main/x/xscreensaver/xscreensaver_5.03-3.1.diff.gz
xscreensaver_5.03-3.1.dsc
  to pool/main/x/xscreensaver/xscreensaver_5.03-3.1.dsc
xscreensaver_5.03-3.1_amd64.deb
  to pool/main/x/xscreensaver/xscreensaver_5.03-3.1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 448157@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steffen Joeris <white@debian.org> (supplier of updated xscreensaver package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 16 Nov 2007 15:04:15 +1100
Source: xscreensaver
Binary: xscreensaver xscreensaver-gl
Architecture: source amd64
Version: 5.03-3.1
Distribution: unstable
Urgency: high
Maintainer: Jose Luis Rivas <ghostbar38@gmail.com>
Changed-By: Steffen Joeris <white@debian.org>
Description: 
 xscreensaver - Automatic screensaver for X
 xscreensaver-gl - GL(Mesa) screen hacks for xscreensaver
Closes: 448157
Changes: 
 xscreensaver (5.03-3.1) unstable; urgency=high
 .
   * Non-maintainer upload by the testing-security team
   * Include upstream patch to fix crash with gl screensavers, which
     leads to an authentication bypass (Closes: #448157)
     Fixes: CVE-2007-5585
Files: 
 d3f692984670185155d97ef608678b23 1075 x11 optional xscreensaver_5.03-3.1.dsc
 6ede3fe549343ae5e4a44db40fe1e0ea 189655 x11 optional xscreensaver_5.03-3.1.diff.gz
 01f203b9abe72e94ce05c5e57d0915af 4432920 x11 optional xscreensaver_5.03-3.1_amd64.deb
 6a715c86e57b6accf06f6de769e756aa 3877190 x11 optional xscreensaver-gl_5.03-3.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHPRjw62zWxYk/rQcRAqDXAKCBJT3vJRZ/FYFGkZYPH3YFU1FTbQCfT/fo
CKz7BleTznoWO82P+7iofI4=
=40Dw
-----END PGP SIGNATURE-----

Message #81 received at 448157-close@bugs.debian.org (full text, mbox, reply):

From: Jose Luis Rivas <ghostbar38@gmail.com>

To: 448157-close@bugs.debian.org

Subject: Bug#448157: fixed in xscreensaver 5.04-1

Date: Thu, 06 Dec 2007 00:02:09 +0000

Source: xscreensaver
Source-Version: 5.04-1

We believe that the bug you reported is fixed in the latest version of
xscreensaver, which is due to be installed in the Debian FTP archive:

xscreensaver-gl_5.04-1_i386.deb
  to pool/main/x/xscreensaver/xscreensaver-gl_5.04-1_i386.deb
xscreensaver_5.04-1.diff.gz
  to pool/main/x/xscreensaver/xscreensaver_5.04-1.diff.gz
xscreensaver_5.04-1.dsc
  to pool/main/x/xscreensaver/xscreensaver_5.04-1.dsc
xscreensaver_5.04-1_i386.deb
  to pool/main/x/xscreensaver/xscreensaver_5.04-1_i386.deb
xscreensaver_5.04.orig.tar.gz
  to pool/main/x/xscreensaver/xscreensaver_5.04.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 448157@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jose Luis Rivas <ghostbar38@gmail.com> (supplier of updated xscreensaver package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 26 Nov 2007 14:04:52 -0400
Source: xscreensaver
Binary: xscreensaver xscreensaver-gl
Architecture: source i386
Version: 5.04-1
Distribution: unstable
Urgency: low
Maintainer: Jose Luis Rivas <ghostbar38@gmail.com>
Changed-By: Jose Luis Rivas <ghostbar38@gmail.com>
Description: 
 xscreensaver - Automatic screensaver for X
 xscreensaver-gl - GL(Mesa) screen hacks for xscreensaver
Closes: 448157
Changes: 
 xscreensaver (5.04-1) unstable; urgency=low
 .
   * New upstream release
   * David Moreno Garza (damog) removed from Uploaders field.
   * Fixed authentication bypass (CVE-2007-5585) by upstream (closes: #448157)
Files: 
 82be25345dcc44a930610f30c90fa031 1022 x11 optional xscreensaver_5.04-1.dsc
 1d27b5ddecdb49c806d1e91ca82fc43e 5438905 x11 optional xscreensaver_5.04.orig.tar.gz
 da094ccc720eaa6044855fc92dd6f60b 174586 x11 optional xscreensaver_5.04-1.diff.gz
 7ca14864fb1d0a4f7f6c945813de8da5 4024386 x11 optional xscreensaver_5.04-1_i386.deb
 3a6907b87ab71c3af52b9bce20ab5c3d 3592580 x11 optional xscreensaver-gl_5.04-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHVzkOmBxf18ZxJX0RAixkAJ4yjV+or/N0ZhK/gw/b6iNVNthXvgCdF7/2
Gyx8sI2NbTbrUmyXDirqVa8=
=ei65
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.