Debian Bug report logs -
#569084
CVE-2010-0414
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Tue, 9 Feb 2010 23:18:05 UTC
Severity: important
Tags: security
Fixed in versions gnome-screensaver/2.28.0-3, gnome-screensaver/2.28.2-1
Done: Emilio Pozuelo Monfort <pochu@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, gpastore@debian.org (Guilherme de S. Pastore):
Bug#569084; Package gnome-screensaver.
(Tue, 09 Feb 2010 23:18:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, gpastore@debian.org (Guilherme de S. Pastore).
(Tue, 09 Feb 2010 23:18:08 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: gnome-screensaver
Severity: important
Tags: security
The following was posted to the oss-security mailing list by Vincent Danen
from Red Hat.
Cheers,
Moritz
----------------------------
This is a heads up on a gnome-screensaver issue that was fixed upstream
today.
In version 2.28, it is possible to circumvent the security of screen
locking functionality by changing the physical monitor configuration.
Details are available in our bugzilla, along with the patch being used
by upstream to correct the issue:
https://bugzilla.redhat.com/show_bug.cgi?id=562217
We have assigned CVE-2010-0414 to this issue.
The code that caused this issue went into gnome-screensaver during the
2.24 development cycle, but auto-configuration of hotplugged monitors
didn't show up until 2.28, and that is a pre-requisite for triggering
the bug, so only 2.28 is vulnerable.
References:
http://git.gnome.org/browse/gnome-screensaver/commit/?id=a5f66339be6719c2b8fc478a1d5fc6545297d950
https://bugzilla.gnome.org/show_bug.cgi?id=609337
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-trunk-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Versions of packages gnome-screensaver depends on:
ii dbus 1.2.20-2 simple interprocess messaging syst
ii gconf2 2.28.0-1 GNOME configuration database syste
ii gnome-icon-theme 2.28.0-1 GNOME Desktop icon theme
ii libatk1.0-0 1.28.0-1 The ATK accessibility toolkit
ii libc6 2.10.2-5 Embedded GNU C Library: Shared lib
ii libcairo2 1.8.8-2 The Cairo 2D vector graphics libra
ii libdbus-1-3 1.2.20-2 simple interprocess messaging syst
ii libdbus-glib-1-2 0.84-1 simple interprocess messaging syst
ii libfontconfig1 2.8.0-2 generic font configuration library
ii libfreetype6 2.3.11-1 FreeType 2 font engine, shared lib
ii libgconf2-4 2.28.0-1 GNOME configuration database syste
ii libgl1-mesa-glx [libgl1 7.6.1-1 A free implementation of the OpenG
ii libglade2-0 1:2.6.4-1 library to load .glade files at ru
ii libglib2.0-0 2.22.4-1 The GLib library of C routines
pn libgnome-menu2 <none> (no description available)
pn libgnomekbd2 <none> (no description available)
pn libgnomekbdui2 <none> (no description available)
ii libgtk2.0-0 2.18.6-1 The GTK+ graphical user interface
ii libice6 2:1.0.6-1 X11 Inter-Client Exchange library
ii libnotify1 [libnotify1- 0.4.5-1 sends desktop notifications to a n
ii libpam0g 1.1.1-1 Pluggable Authentication Modules l
ii libpango1.0-0 1.26.2-1 Layout and rendering of internatio
ii libpng12-0 1.2.42-1 PNG library - runtime
ii libsm6 2:1.1.1-1 X11 Session Management library
ii libx11-6 2:1.3.3-1 X11 client-side library
ii libxcursor1 1:1.1.10-1 X cursor management library
ii libxext6 2:1.1.1-2 X11 miscellaneous extension librar
ii libxfixes3 1:4.0.4-1 X11 miscellaneous 'fixes' extensio
ii libxi6 2:1.3-2 X11 Input extension library
ii libxinerama1 2:1.1-2 X11 Xinerama extension library
pn libxklavier12 <none> (no description available)
ii libxml2 2.7.6.dfsg-2+b1 GNOME XML library
ii libxrandr2 2:1.3.0-3 X11 RandR extension library
ii libxrender1 1:0.9.5-1 X Rendering Extension client libra
pn libxss1 <none> (no description available)
pn libxxf86misc1 <none> (no description available)
ii libxxf86vm1 1:1.1.0-2 X11 XFree86 video mode extension l
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
Versions of packages gnome-screensaver recommends:
pn gnome-power-manager <none> (no description available)
ii libpam-gnome-keyring 2.28.2-1 PAM module to unlock the GNOME key
pn rss-glx <none> (no description available)
gnome-screensaver suggests no packages.
Reply sent
to Emilio Pozuelo Monfort <pochu@debian.org>:
You have taken responsibility.
(Wed, 10 Feb 2010 09:51:03 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Wed, 10 Feb 2010 09:51:03 GMT) (full text, mbox, link).
Message #10 received at 569084-close@bugs.debian.org (full text, mbox, reply):
Source: gnome-screensaver
Source-Version: 2.28.0-3
We believe that the bug you reported is fixed in the latest version of
gnome-screensaver, which is due to be installed in the Debian FTP archive:
gnome-screensaver_2.28.0-3.diff.gz
to main/g/gnome-screensaver/gnome-screensaver_2.28.0-3.diff.gz
gnome-screensaver_2.28.0-3.dsc
to main/g/gnome-screensaver/gnome-screensaver_2.28.0-3.dsc
gnome-screensaver_2.28.0-3_i386.deb
to main/g/gnome-screensaver/gnome-screensaver_2.28.0-3_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 569084@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emilio Pozuelo Monfort <pochu@debian.org> (supplier of updated gnome-screensaver package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 10 Feb 2010 09:24:22 +0100
Source: gnome-screensaver
Binary: gnome-screensaver
Architecture: source i386
Version: 2.28.0-3
Distribution: unstable
Urgency: low
Maintainer: Guilherme de S. Pastore <gpastore@debian.org>
Changed-By: Emilio Pozuelo Monfort <pochu@debian.org>
Description:
gnome-screensaver - GNOME screen saver and locker
Closes: 569084
Changes:
gnome-screensaver (2.28.0-3) unstable; urgency=low
.
* New upstream bugfix release.
- CVE-2010-0414, handle monitor removal more securely. Closes: #569084.
- debian/patches/01_session_inhibitors.patch:
+ Removed, fixed upstream.
* Standards-Version is 3.8.4, no changes needed.
Checksums-Sha1:
4974c1da164fec30c0cd16cf66b89657c4befe37 1943 gnome-screensaver_2.28.0-3.dsc
1d8ced7c28a2a6987a8b8b384b1e5878ff5bbbfe 12453 gnome-screensaver_2.28.0-3.diff.gz
868a74b4f0941f9a97402f9c3ab92b34d46239a7 4702066 gnome-screensaver_2.28.0-3_i386.deb
Checksums-Sha256:
8b9d157d2ef883887ae489c7bb2dbd9efaf64b0e044b448cf82589e4bc6fe83d 1943 gnome-screensaver_2.28.0-3.dsc
61454a15838aa19d65b99927d65bf0b1f5d3ef6e31cfa68d2c0507af54eb4ebd 12453 gnome-screensaver_2.28.0-3.diff.gz
dcbd7aa849b97fa5be7d097fa8c9dd39302bef6cafd74593256b05731800def9 4702066 gnome-screensaver_2.28.0-3_i386.deb
Files:
c0a03df8a1dc89d1b3465b0c1c8adcf4 1943 gnome optional gnome-screensaver_2.28.0-3.dsc
7ba6b8458ca34f6016386b801addeb7e 12453 gnome optional gnome-screensaver_2.28.0-3.diff.gz
9f0d09a3b7580daa55948972080de921 4702066 gnome optional gnome-screensaver_2.28.0-3_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAktybykACgkQhTV17EoIsv5WvQCgt5JQ5updQ/xZp6fj71Gwq+bo
DcMAoMMwL+9go6UYFE75NcYmC4NGSLaN
=D+RE
-----END PGP SIGNATURE-----
Reply sent
to Emilio Pozuelo Monfort <pochu@debian.org>:
You have taken responsibility.
(Wed, 10 Feb 2010 09:51:05 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Wed, 10 Feb 2010 09:51:06 GMT) (full text, mbox, link).
Message #15 received at 569084-close@bugs.debian.org (full text, mbox, reply):
Source: gnome-screensaver
Source-Version: 2.28.2-1
We believe that the bug you reported is fixed in the latest version of
gnome-screensaver, which is due to be installed in the Debian FTP archive:
gnome-screensaver_2.28.2-1.diff.gz
to main/g/gnome-screensaver/gnome-screensaver_2.28.2-1.diff.gz
gnome-screensaver_2.28.2-1.dsc
to main/g/gnome-screensaver/gnome-screensaver_2.28.2-1.dsc
gnome-screensaver_2.28.2-1_i386.deb
to main/g/gnome-screensaver/gnome-screensaver_2.28.2-1_i386.deb
gnome-screensaver_2.28.2.orig.tar.gz
to main/g/gnome-screensaver/gnome-screensaver_2.28.2.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 569084@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emilio Pozuelo Monfort <pochu@debian.org> (supplier of updated gnome-screensaver package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 10 Feb 2010 09:59:34 +0100
Source: gnome-screensaver
Binary: gnome-screensaver
Architecture: source i386
Version: 2.28.2-1
Distribution: unstable
Urgency: low
Maintainer: Guilherme de S. Pastore <gpastore@debian.org>
Changed-By: Emilio Pozuelo Monfort <pochu@debian.org>
Description:
gnome-screensaver - GNOME screen saver and locker
Closes: 569084
Changes:
gnome-screensaver (2.28.2-1) unstable; urgency=low
.
* New upstream bugfix release.
- CVE-2010-0414, handle monitor removal more securely. Closes: #569084.
- debian/patches/01_session_inhibitors.patch:
+ Removed, fixed upstream.
* Standards-Version is 3.8.4, no changes needed.
Checksums-Sha1:
bdf735d43c02354153ab56a496731e4de08122ab 1943 gnome-screensaver_2.28.2-1.dsc
8ed9bbb6944440af1bb776dbfe5e23e5a58d05c3 5076526 gnome-screensaver_2.28.2.orig.tar.gz
b1600c401fd46ada3f4a7f842ec25c1a10b3af2f 12447 gnome-screensaver_2.28.2-1.diff.gz
12a42c91e0cfcc0c7a17d1d12e91c1e6dbee4f45 4701402 gnome-screensaver_2.28.2-1_i386.deb
Checksums-Sha256:
e1fbb7c94af47f95e52a410b32f9a21cde3059e99dd2a9d660862e1a00f05f35 1943 gnome-screensaver_2.28.2-1.dsc
124ea3d1dcd4b36304d4d66242b01bef1b9e0a6379fcba662957fb3cc08766ef 5076526 gnome-screensaver_2.28.2.orig.tar.gz
8a33f87419569c2ddff674dbcfb3ba2defbf1909d7af10a4e87da7dc6872531e 12447 gnome-screensaver_2.28.2-1.diff.gz
6bb633e89109c6deed797aea4ecc383cf9ee475b5fbf7a1888c3859b8259ffdf 4701402 gnome-screensaver_2.28.2-1_i386.deb
Files:
e8e10b46c27597e8e77015e0d9b561f9 1943 gnome optional gnome-screensaver_2.28.2-1.dsc
6b75cd7383b5c5e18c0b14c29b7c6064 5076526 gnome optional gnome-screensaver_2.28.2.orig.tar.gz
7e32dd70e955672f4d440bb79f4d70b0 12447 gnome optional gnome-screensaver_2.28.2-1.diff.gz
30d55b1881b3e64654b1e881670982bb 4701402 gnome optional gnome-screensaver_2.28.2-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAktyd4gACgkQhTV17EoIsv71LwCfSDm+Cd2iD0kcfY3e4BMZr8SV
+DkAnRpmi9eyPATLYL4tLULc/uuTNEk9
=y+w8
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 31 May 2010 07:37:37 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:02:48 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon