possible security problem with xscreensaver

Debian Bug report logs - #433964
possible security problem with xscreensaver

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <white@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: possible security problem with xscreensaver

Date: Sat, 21 Jul 2007 03:20:49 +0200

Package: xscreensaver
Version: 4.24-5
Severity: grave
Tags: security
Justification: user security hole

Hi mate

Please have a look at the patch below I found in the Ubuntu version of
your package. Your package was showing up on the security tracker and I
found a CVE assigned for it. It seems that the patch below fixed the issue
for ubuntu, though I did no further investigation. Maybe you can have
a look and if this information is wrong, feel free to downgrade the bug.

Cheers
Steffen

diff -u xscreensaver-4.24/debian/changelog xscreensaver-4.24/debian/changelog
--- xscreensaver-4.24/debian/changelog
+++ xscreensaver-4.24/debian/changelog
@@ -1,3 +1,12 @@
+xscreensaver (4.24-5ubuntu2.1) feisty-security; urgency=low
+
+  * SECURITY UPDATE: password bypass when using network authentication.
+  * driver/lock.c: upstream fixes applied inline.
+  * References
+    CVE-2007-1859
+
+ -- Kees Cook <kees@ubuntu.com>  Mon, 11 Jun 2007 12:58:25 -0700
+
 xscreensaver (4.24-5ubuntu2) feisty; urgency=low

   * debian/control:
diff -u xscreensaver-4.24/driver/lock.c xscreensaver-4.24/driver/lock.c
--- xscreensaver-4.24/driver/lock.c
+++ xscreensaver-4.24/driver/lock.c
@@ -1532,7 +1532,7 @@
       */
       struct passwd *pw = getpwuid (getuid ());
       char *d = DisplayString (si->dpy);
-      char *u = (pw->pw_name ? pw->pw_name : "???");
+      char *u = (pw && pw->pw_name ? pw->pw_name : "???");
       int opt = 0;
       int fac = 0;

Message #10 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jamie Zawinski <jwz@jwz.org>

To: Steffen Joeris <white@debian.org>, 433964@bugs.debian.org

Cc: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Re: Bug#433964: possible security problem with xscreensaver

Date: Fri, 20 Jul 2007 11:05:00 -0700

That patch is already included in 5.03.  But you people are still  
shipping 4.24, which is nearly eighteen months old.  I really wish  
you'd upgrade already.

Also, it is damned near impossible to exploit that.  For it to be a  
problem, the attacker needs to have already compromised either the  
auth server or the LAN.  After having done that, *then* one could  
make xscreensaver crash and unlock the screen.  If that's a  
possibility, it seems to me that you've already got much bigger  
problems.

Message #20 received at 433964-done@bugs.debian.org (full text, mbox, reply):

From: Jose Luis Rivas Contreras <ghostbar38@gmail.com>

To: 433964-done@bugs.debian.org

Subject: possible security problem with xscreensaver

Date: Tue, 24 Jul 2007 20:20:50 -0400

[Message part 1 (text/plain, inline)]

Version: 5.03-1

This is fixed in the last uploaded version.

Regards,
Jose Luis.
-- 

ghostbar on Linux/Debian 'sid' x86_64-SMP - #382503
Weblog: http://ghostbar.ath.cx/ - http://linuxtachira.org
http://debian.org.ve - irc.debian.org #debian-ve #debian-devel-es
San Cristóbal, Venezuela. http://chaslug.org.ve
Fingerprint = 3E7D 4267 AFD5 2407 2A37  20AC 38A0 AD5B CACA B118

[signature.asc (application/pgp-signature, attachment)]

Send a report that this bug log contains spam.