'Re: [oss-security] Re: CVE Request: gnome-screensaver termination by'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Re: CVE Request: gnome-screensaver termination by
From:       Vincent Danen <vdanen () redhat ! com>
Date:       2010-03-16 17:11:07
Message-ID: 20100316171107.GG30480 () redhat ! com
[Download RAW message or body]

* [2010-03-05 10:09:58 +0100] Marcus Meissner wrote:

>Can someone, Stephen, assign a CVE id please?

Please use CVE-2010-0732 for this issue.

Also note that our maintainer looked at this and indicates this is a bug
in GTK+, not gnome-screensaver, and that this commit actually corrects
the problem:

http://git.gnome.org/browse/gtk+/commit/?id=0748cf563d0d0d03001a62589f13be16a8ec06c1

See the comments in our bugzilla:

https://bugzilla.redhat.com/show_bug.cgi?id=565527#c3

>On Fri, Feb 12, 2010 at 10:53:24AM +0100, Marcus Meissner wrote:
>> Hi,
>>
>> Yesterday an article was published by Heise News (a german IT magazine)
>> that said that the Gnome Screensaver in openSUSE 11.2 is unlockable by
>> just pressing the "return" key for some time.
>>
>> The issue as far as we know is the following:
>>
>> The unlock dialog shakes if you enter the wrong password. On the last try,
>> this dialog is also hidden again (so screen is blanked).
>>
>> There is race condition between these two actions which can lead to an X error
>> which aborts the screensaver (and so unlocks the screen).
>>
>> It is fixed in gnome-screensaver 2.28.1 release.
>>
>> References:
>>
>> The fixing commit in the 2.28 branch:
>> http://git.gnome.org/browse/gnome-screensaver/commit/?h=gnome-2-28&id=98f8a22412cf388217fd5b88915eadd274d68520
>>
>> The news article (in german):
>> http://www.heise.de/newsticker/meldung/Gnome-Bildschirmsperre-in-OpenSuse-Linux-wirkungslos-928580.html
>>
>> The GNOME upstream bug:
>> http://bugzilla.gnome.org/show_bug.cgi?id=598476
>>
>> I think this does not have a CVE id yet, so please someone allocate one.
>>
>> I am not sure when this shaking was introduced, but it might be pretty new.
>>
>> Ciao, Marcus
>
>-- 
>Working, but not speaking, for the following german company:
>SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)

-- 
Vincent Danen / Red Hat Security Response Team 
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic