Package: gnome-screensaver
Severity: important
Tags: security
The following was posted to the oss-security mailing list by Vincent Danen
from Red Hat.
Cheers,
Moritz
----------------------------
This is a heads up on a gnome-screensaver issue that was fixed upstream
today.
In version 2.28, it is possible to circumvent the security of screen
locking functionality by changing the physical monitor configuration.
Details are available in our bugzilla, along with the patch being used
by upstream to correct the issue:
https://bugzilla.redhat.com/show_bug.cgi?id=562217
We have assigned CVE-2010-0414 to this issue.
The code that caused this issue went into gnome-screensaver during the
2.24 development cycle, but auto-configuration of hotplugged monitors
didn''t show up until 2.28, and that is a pre-requisite for triggering
the bug, so only 2.28 is vulnerable.
References:
http://git.gnome.org/browse/gnome-screensaver/commit/?id=a5f66339be6719c2b8fc478a1d5fc6545297d950
https://bugzilla.gnome.org/show_bug.cgi?id=609337
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, ''unstable'')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-trunk-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15 at euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Versions of packages gnome-screensaver depends on:
ii dbus 1.2.20-2 simple interprocess messaging syst
ii gconf2 2.28.0-1 GNOME configuration database syste
ii gnome-icon-theme 2.28.0-1 GNOME Desktop icon theme
ii libatk1.0-0 1.28.0-1 The ATK accessibility toolkit
ii libc6 2.10.2-5 Embedded GNU C Library: Shared lib
ii libcairo2 1.8.8-2 The Cairo 2D vector graphics libra
ii libdbus-1-3 1.2.20-2 simple interprocess messaging syst
ii libdbus-glib-1-2 0.84-1 simple interprocess messaging syst
ii libfontconfig1 2.8.0-2 generic font configuration library
ii libfreetype6 2.3.11-1 FreeType 2 font engine, shared lib
ii libgconf2-4 2.28.0-1 GNOME configuration database syste
ii libgl1-mesa-glx [libgl1 7.6.1-1 A free implementation of the OpenG
ii libglade2-0 1:2.6.4-1 library to load .glade files at ru
ii libglib2.0-0 2.22.4-1 The GLib library of C routines
pn libgnome-menu2 <none> (no description available)
pn libgnomekbd2 <none> (no description available)
pn libgnomekbdui2 <none> (no description available)
ii libgtk2.0-0 2.18.6-1 The GTK+ graphical user interface
ii libice6 2:1.0.6-1 X11 Inter-Client Exchange library
ii libnotify1 [libnotify1- 0.4.5-1 sends desktop notifications to a n
ii libpam0g 1.1.1-1 Pluggable Authentication Modules l
ii libpango1.0-0 1.26.2-1 Layout and rendering of internatio
ii libpng12-0 1.2.42-1 PNG library - runtime
ii libsm6 2:1.1.1-1 X11 Session Management library
ii libx11-6 2:1.3.3-1 X11 client-side library
ii libxcursor1 1:1.1.10-1 X cursor management library
ii libxext6 2:1.1.1-2 X11 miscellaneous extension librar
ii libxfixes3 1:4.0.4-1 X11 miscellaneous
''fixes'' extensio
ii libxi6 2:1.3-2 X11 Input extension library
ii libxinerama1 2:1.1-2 X11 Xinerama extension library
pn libxklavier12 <none> (no description available)
ii libxml2 2.7.6.dfsg-2+b1 GNOME XML library
ii libxrandr2 2:1.3.0-3 X11 RandR extension library
ii libxrender1 1:0.9.5-1 X Rendering Extension client libra
pn libxss1 <none> (no description available)
pn libxxf86misc1 <none> (no description available)
ii libxxf86vm1 1:1.1.0-2 X11 XFree86 video mode extension l
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
Versions of packages gnome-screensaver recommends:
pn gnome-power-manager <none> (no description available)
ii libpam-gnome-keyring 2.28.2-1 PAM module to unlock the GNOME key
pn rss-glx <none> (no description available)
gnome-screensaver suggests no packages.