[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: gnome-screensaver vulnerability (CVE-2010-0414)
From:       Vincent Danen <vdanen () redhat ! com>
Date:       2010-02-12 22:14:56
Message-ID: 20100212221456.GI2737 () redhat ! com
[Download RAW message or body]

* [2010-02-08 09:48:22 -0700] Vincent Danen wrote:

>This is a heads up on a gnome-screensaver issue that was fixed upstream
>today.
>
>In version 2.28, it is possible to circumvent the security of screen
>locking functionality by changing the physical monitor configuration.
>
>Details are available in our bugzilla, along with the patch being used
>by upstream to correct the issue:
>
>https://bugzilla.redhat.com/show_bug.cgi?id=562217
>
>We have assigned CVE-2010-0414 to this issue.
>
>The code that caused this issue went into gnome-screensaver during the
>2.24 development cycle, but auto-configuration of hotplugged monitors
>didn't show up until 2.28, and that is a pre-requisite for triggering
>the bug, so only 2.28 is vulnerable.
>
>References:
>
>http://git.gnome.org/browse/gnome-screensaver/commit/?id=a5f66339be6719c2b8fc478a1d5fc6545297d950
>https://bugzilla.gnome.org/show_bug.cgi?id=609337

A similar issue was also just found.  We have assigned CVE-2010-0422 to
the new flaw that is similar to this.

https://bugzilla.redhat.com/show_bug.cgi?id=564464
https://bugzilla.gnome.org/show_bug.cgi?id=609789

There are links to the upstream commits in the gnome bug report.

As with the previous issue, this one also only affects version 2.28.

-- 
Vincent Danen / Red Hat Security Response Team 
[prev in list] [next in list] [prev in thread] [next in thread]