Debian Bug report logs -
#433964
possible security problem with xscreensaver
Reported by: Steffen Joeris <white@debian.org>
Date: Fri, 20 Jul 2007 17:21:01 UTC
Severity: grave
Tags: security
Found in version xscreensaver/4.24-5
Fixed in version 5.03-1
Done: Jose Luis Rivas Contreras <ghostbar38@gmail.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Ralf Hildebrandt <ralf.hildebrandt@charite.de>
:
Bug#433964
; Package xscreensaver
.
(full text, mbox, link).
Acknowledgement sent to Steffen Joeris <white@debian.org>
:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Ralf Hildebrandt <ralf.hildebrandt@charite.de>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: xscreensaver
Version: 4.24-5
Severity: grave
Tags: security
Justification: user security hole
Hi mate
Please have a look at the patch below I found in the Ubuntu version of
your package. Your package was showing up on the security tracker and I
found a CVE assigned for it. It seems that the patch below fixed the issue
for ubuntu, though I did no further investigation. Maybe you can have
a look and if this information is wrong, feel free to downgrade the bug.
Cheers
Steffen
diff -u xscreensaver-4.24/debian/changelog xscreensaver-4.24/debian/changelog
--- xscreensaver-4.24/debian/changelog
+++ xscreensaver-4.24/debian/changelog
@@ -1,3 +1,12 @@
+xscreensaver (4.24-5ubuntu2.1) feisty-security; urgency=low
+
+ * SECURITY UPDATE: password bypass when using network authentication.
+ * driver/lock.c: upstream fixes applied inline.
+ * References
+ CVE-2007-1859
+
+ -- Kees Cook <kees@ubuntu.com> Mon, 11 Jun 2007 12:58:25 -0700
+
xscreensaver (4.24-5ubuntu2) feisty; urgency=low
* debian/control:
diff -u xscreensaver-4.24/driver/lock.c xscreensaver-4.24/driver/lock.c
--- xscreensaver-4.24/driver/lock.c
+++ xscreensaver-4.24/driver/lock.c
@@ -1532,7 +1532,7 @@
*/
struct passwd *pw = getpwuid (getuid ());
char *d = DisplayString (si->dpy);
- char *u = (pw->pw_name ? pw->pw_name : "???");
+ char *u = (pw && pw->pw_name ? pw->pw_name : "???");
int opt = 0;
int fac = 0;
Information forwarded to debian-bugs-dist@lists.debian.org, Ralf Hildebrandt <ralf.hildebrandt@charite.de>
:
Bug#433964
; Package xscreensaver
.
(full text, mbox, link).
Acknowledgement sent to Jamie Zawinski <jwz@jwz.org>
:
Extra info received and forwarded to list. Copy sent to Ralf Hildebrandt <ralf.hildebrandt@charite.de>
.
(full text, mbox, link).
Message #10 received at submit@bugs.debian.org (full text, mbox, reply):
That patch is already included in 5.03. But you people are still
shipping 4.24, which is nearly eighteen months old. I really wish
you'd upgrade already.
Also, it is damned near impossible to exploit that. For it to be a
problem, the attacker needs to have already compromised either the
auth server or the LAN. After having done that, *then* one could
make xscreensaver crash and unlock the screen. If that's a
possibility, it seems to me that you've already got much bigger
problems.
Information forwarded to debian-bugs-dist@lists.debian.org, Ralf Hildebrandt <ralf.hildebrandt@charite.de>
:
Bug#433964
; Package xscreensaver
.
(full text, mbox, link).
Acknowledgement sent to Jamie Zawinski <jwz@jwz.org>
:
Extra info received and forwarded to list. Copy sent to Ralf Hildebrandt <ralf.hildebrandt@charite.de>
.
(full text, mbox, link).
Reply sent to Jose Luis Rivas Contreras <ghostbar38@gmail.com>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Steffen Joeris <white@debian.org>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #20 received at 433964-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Version: 5.03-1
This is fixed in the last uploaded version.
Regards,
Jose Luis.
--
ghostbar on Linux/Debian 'sid' x86_64-SMP - #382503
Weblog: http://ghostbar.ath.cx/ - http://linuxtachira.org
http://debian.org.ve - irc.debian.org #debian-ve #debian-devel-es
San Cristóbal, Venezuela. http://chaslug.org.ve
Fingerprint = 3E7D 4267 AFD5 2407 2A37 20AC 38A0 AD5B CACA B118
[signature.asc (application/pgp-signature, attachment)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 16 Mar 2009 09:38:59 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:20:25 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.