Debian Bug report logs -
#989508
xscreensaver: CVE-2021-34557: Disconnecting a video output can cause XScreenSaver to crash and unlock
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 5 Jun 2021 18:51:05 UTC
Severity: grave
Tags: fixed-upstream, security, upstream
Found in version xscreensaver/5.45+dfsg1-1
Fixed in version xscreensaver/5.45+dfsg1-2
Done: Tormod Volden <debian.tormod@gmail.com>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Tormod Volden <debian.tormod@gmail.com>:
Bug#989508; Package src:xscreensaver.
(Sat, 05 Jun 2021 18:51:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Tormod Volden <debian.tormod@gmail.com>.
(Sat, 05 Jun 2021 18:51:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: xscreensaver
Version: 5.45+dfsg1-1
Severity: important
Tags: security upstream fixed-upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi
On oss-security mailinglist an issue with xscreensaver has been
published which seems to be specific to the 4.45 version (and not
affecting earlier versions, nor 6.00):
https://www.openwall.com/lists/oss-security/2021/06/05/1
Qubes OS has patched the issue in 5.45:
https://www.openwall.com/lists/oss-security/2021/06/05/2
https://github.com/QubesOS/qubes-xscreensaver/blob/master/0001-Fix-updating-outputs-info.patch
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#989508; Package src:xscreensaver.
(Sun, 06 Jun 2021 11:00:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Tormod Volden <debian.tormod@gmail.com>:
Extra info received and forwarded to list.
(Sun, 06 Jun 2021 11:00:03 GMT) (full text, mbox, link).
Message #10 received at 989508@bugs.debian.org (full text, mbox, reply):
I'll take a look at this now. We might want to include this in 5.45+dfsg1-2.
Tormod
On Sat, Jun 5, 2021 at 8:51 PM Salvatore Bonaccorso wrote:
>
> On oss-security mailinglist an issue with xscreensaver has been
> published which seems to be specific to the 4.45 version (and not
> affecting earlier versions, nor 6.00):
>
> https://www.openwall.com/lists/oss-security/2021/06/05/1
>
> Qubes OS has patched the issue in 5.45:
>
> https://www.openwall.com/lists/oss-security/2021/06/05/2
> https://github.com/QubesOS/qubes-xscreensaver/blob/master/0001-Fix-updating-outputs-info.patch
>
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#989508; Package src:xscreensaver.
(Sun, 06 Jun 2021 11:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Tormod Volden <debian.tormod@gmail.com>:
Extra info received and forwarded to list.
(Sun, 06 Jun 2021 11:57:05 GMT) (full text, mbox, link).
Message #15 received at 989508@bugs.debian.org (full text, mbox, reply):
On Sun, Jun 6, 2021 at 12:56 PM Tormod Volden wrote:
>
> I'll take a look at this now. We might want to include this in 5.45+dfsg1-2.
>
I have included the fix from Qubes-OS, pushed to salsa in commit 60304c21.
I did some testing by plugging and unplugging an external monitor
around 19 times.
Tormod
> On Sat, Jun 5, 2021 at 8:51 PM Salvatore Bonaccorso wrote:
> >
> > On oss-security mailinglist an issue with xscreensaver has been
> > published which seems to be specific to the 4.45 version (and not
> > affecting earlier versions, nor 6.00):
> >
> > https://www.openwall.com/lists/oss-security/2021/06/05/1
> >
> > Qubes OS has patched the issue in 5.45:
> >
> > https://www.openwall.com/lists/oss-security/2021/06/05/2
> > https://github.com/QubesOS/qubes-xscreensaver/blob/master/0001-Fix-updating-outputs-info.patch
> >
Reply sent
to Tormod Volden <debian.tormod@gmail.com>:
You have taken responsibility.
(Sun, 06 Jun 2021 19:36:15 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 06 Jun 2021 19:36:15 GMT) (full text, mbox, link).
Message #20 received at 989508-close@bugs.debian.org (full text, mbox, reply):
Source: xscreensaver
Source-Version: 5.45+dfsg1-2
Done: Tormod Volden <debian.tormod@gmail.com>
We believe that the bug you reported is fixed in the latest version of
xscreensaver, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 989508@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Tormod Volden <debian.tormod@gmail.com> (supplier of updated xscreensaver package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 06 Jun 2021 12:25:19 +0200
Source: xscreensaver
Architecture: source
Version: 5.45+dfsg1-2
Distribution: unstable
Urgency: medium
Maintainer: Tormod Volden <debian.tormod@gmail.com>
Changed-By: Tormod Volden <debian.tormod@gmail.com>
Closes: 978086 978589 979562 987149 988158 989508
Changes:
xscreensaver (5.45+dfsg1-2) unstable; urgency=medium
.
* Do not assign raw net capability to "sonar" hack due to a security
vulnerability in mesa (Closes: #987149)
* Make sure is systemd unit is disabled if upgrading from previous
two releases (Closes: #978589)
* Do not enable screensaver on login screen (Closes: #979562, #988158)
* Recommend needed font for unlock dialog (Closes: #978086)
* Apply fix for crash on video output disconnection (Closes: #989508)
Checksums-Sha1:
712747a19622291c84d779bb8d7ba9318390a048 2426 xscreensaver_5.45+dfsg1-2.dsc
ec88d7ecc18d3c5ae3e51081f11203700bb365e2 77792 xscreensaver_5.45+dfsg1-2.debian.tar.xz
Checksums-Sha256:
f70adafc75842a80caf19d7fbec1c805069a3ab6df2613d975a9d93865ca76d9 2426 xscreensaver_5.45+dfsg1-2.dsc
ecd4ac58f5f0dacb677d9fd74e591b38ada0180bf62fae7b65c36c33107655f4 77792 xscreensaver_5.45+dfsg1-2.debian.tar.xz
Files:
c97882e1f460f7f0f6a08d6d736a72eb 2426 x11 optional xscreensaver_5.45+dfsg1-2.dsc
89812a87b18b82251f31a8ffe97d41d4 77792 x11 optional xscreensaver_5.45+dfsg1-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iHUEARYIAB0WIQSD3NF/RLIsyDZW7aHoRGtKyMdyYQUCYL0h/AAKCRDoRGtKyMdy
YW0pAQCRC5OGzAa890TyDMFDXSEdaPEKRul8jdEGHOEnQvRYuAEAtErKSiab9QwY
DcVLkiPvRkZOBMXZQfURjp6yUPYbbAA=
=qSal
-----END PGP SIGNATURE-----
Changed Bug title to 'xscreensaver: CVE-2021-34557: Disconnecting a video output can cause XScreenSaver to crash and unlock' from 'xscreensaver: Disconnecting a video output can cause XScreenSaver to crash and unlock'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 10 Jun 2021 19:51:02 GMT) (full text, mbox, link).
Severity set to 'grave' from 'important'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 10 Jun 2021 19:51:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Jun 11 16:14:39 2021;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon