gnome-screensaver: CVE-2008-1683 unlocks session if it fails to get user attributes via getpwnam()

Debian Bug report logs - #475154
gnome-screensaver: CVE-2008-1683 unlocks session if it fails to get user attributes via getpwnam()

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: submit@bugs.debian.org

Subject: gnome-screensaver: CVE-2008-1683 unlocks session if it fails to get user attributes via getpwnam()

Date: Wed, 9 Apr 2008 14:35:05 +0200

[Message part 1 (text/plain, inline)]

Package: gnome-screensaver
Severity: grave
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for gnome-screensaver.


CVE-2008-1683[0]:
| xscreensaver on Fedora 8, when an NIS authentication server is
| enabled, exits if this server is unavailable as the xscreensaver
| process is starting, which allows physically proximate attackers to
| gain access to a workstation session for which locking was intended, a
| related issue to CVE-2007-1859.

The CVE text is somehow wrong I think. Reading the redhat 
bugzilla in the references this is a gnome-screensaver issue 
and was not reproducible in xscreensaver.

Patch is on:
https://bugzilla.redhat.com/attachment.cgi?id=297817

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1683
    http://security-tracker.debian.net/tracker/CVE-2008-1683

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #10 received at 475154@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 475154@bugs.debian.org

Subject: intent to NMU

Date: Sun, 13 Apr 2008 20:03:07 +0200

[Message part 1 (text/plain, inline)]

Hi,
attached is a fix for this issue.

It will be also archived on:
http://people.debian.org/~nion/nmu-diff/gnome-screensaver-2.22.0-1_2.22.0-1.1.patch

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[gnome-screensaver-2.22.0-1_2.22.0-1.1.patch (text/x-diff, attachment)]

[Message part 3 (application/pgp-signature, inline)]

Message #15 received at 475154@bugs.debian.org (full text, mbox, reply):

From: Sebastian Dröge <slomo@circular-chaos.org>

To: Nico Golde <nion@debian.org>, 475154@bugs.debian.org

Subject: Re: Bug#475154: intent to NMU

Date: Mon, 14 Apr 2008 10:43:36 +0200

[Message part 1 (text/plain, inline)]

Am Sonntag, den 13.04.2008, 20:03 +0200 schrieb Nico Golde:
> Hi,
> attached is a fix for this issue.
> 
> It will be also archived on:
> http://people.debian.org/~nion/nmu-diff/gnome-screensaver-2.22.0-1_2.22.0-1.1.patch

Please don't NMU this, otherwise you're delaying the libxklavier
transition even more. I'll upload a new upstream version with this patch
once this transition is done.

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 475154@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 475154@bugs.debian.org

Subject: Re: Bug#475154: intent to NMU

Date: Mon, 14 Apr 2008 11:13:38 +0200

[Message part 1 (text/plain, inline)]

Hi Sebastian,
* Sebastian Dröge <slomo@circular-chaos.org> [2008-04-14 11:04]:
> Am Sonntag, den 13.04.2008, 20:03 +0200 schrieb Nico Golde:
> > Hi,
> > attached is a fix for this issue.
> > 
> > It will be also archived on:
> > http://people.debian.org/~nion/nmu-diff/gnome-screensaver-2.22.0-1_2.22.0-1.1.patch
> 
> Please don't NMU this, otherwise you're delaying the libxklavier
> transition even more. I'll upload a new upstream version with this patch
> once this transition is done.

Ok, thanks for letting me know.
Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #25 received at 475154-close@bugs.debian.org (full text, mbox, reply):

From: Sebastian Dröge <slomo@debian.org>

To: 475154-close@bugs.debian.org

Subject: Bug#475154: fixed in gnome-screensaver 2.22.2-1

Date: Wed, 16 Apr 2008 09:17:04 +0000

Source: gnome-screensaver
Source-Version: 2.22.2-1

We believe that the bug you reported is fixed in the latest version of
gnome-screensaver, which is due to be installed in the Debian FTP archive:

gnome-screensaver_2.22.2-1.diff.gz
  to pool/main/g/gnome-screensaver/gnome-screensaver_2.22.2-1.diff.gz
gnome-screensaver_2.22.2-1.dsc
  to pool/main/g/gnome-screensaver/gnome-screensaver_2.22.2-1.dsc
gnome-screensaver_2.22.2-1_i386.deb
  to pool/main/g/gnome-screensaver/gnome-screensaver_2.22.2-1_i386.deb
gnome-screensaver_2.22.2.orig.tar.gz
  to pool/main/g/gnome-screensaver/gnome-screensaver_2.22.2.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 475154@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Dröge <slomo@debian.org> (supplier of updated gnome-screensaver package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 16 Apr 2008 10:50:22 +0200
Source: gnome-screensaver
Binary: gnome-screensaver
Architecture: source i386
Version: 2.22.2-1
Distribution: unstable
Urgency: high
Maintainer: Guilherme de S. Pastore <gpastore@debian.org>
Changed-By: Sebastian Dröge <slomo@debian.org>
Description: 
 gnome-screensaver - GNOME screen saver and locker
Closes: 475154
Changes: 
 gnome-screensaver (2.22.2-1) unstable; urgency=high
 .
   * New upstream bugfix release:
     + SECURITY: CVE-2008-1683 unlocks session if
       it fails to get user attributes via getpwnam() (Closes: #475154).
Checksums-Sha1: 
 5771cd9353666a3342147cfa9ee98b93cdfed571 1726 gnome-screensaver_2.22.2-1.dsc
 83a524c956e5cea7c8e563842d660ef3997ddcb7 2321751 gnome-screensaver_2.22.2.orig.tar.gz
 c051912b17db91817784304f937e41e91c34ebce 9812 gnome-screensaver_2.22.2-1.diff.gz
 621a62dad850d5ca873725a8fa21e44f6bf51f51 1887872 gnome-screensaver_2.22.2-1_i386.deb
Checksums-Sha256: 
 a0cc3935139cc57a38459d1f21afeb409c754ac858d6a97a81b5503ac618dad2 1726 gnome-screensaver_2.22.2-1.dsc
 c79f0a77ef282d03f0d91c570248551ec7b01bb8fe3982dd4fd45307bc25ed99 2321751 gnome-screensaver_2.22.2.orig.tar.gz
 9100d153dd71e110adbfe7d7ebe9733cbeb54ce9b9ab4c1ce403b2dd5bb28e66 9812 gnome-screensaver_2.22.2-1.diff.gz
 9b75f04b2d4f8cb640fdf36fde555ce4871d7ecfcbc55e2929a0a64cea7c3e5b 1887872 gnome-screensaver_2.22.2-1_i386.deb
Files: 
 304328c0ba9e88c5e42c1728ec399b82 1726 gnome optional gnome-screensaver_2.22.2-1.dsc
 389cf978782b5ec1637459852e657797 2321751 gnome optional gnome-screensaver_2.22.2.orig.tar.gz
 170cb70a02ca63e806aa7cb9da7f787e 9812 gnome optional gnome-screensaver_2.22.2-1.diff.gz
 70bc0bea4ec1454298f54e733ba365a3 1887872 gnome optional gnome-screensaver_2.22.2-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIBb//BsBdh4vkHyERApj0AJ4queXFK3JwYsI0IWajAp2EC54aCACfZpzj
I76JB1+sVjmlC/m6kQH0ZR8=
=NXAy
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.