[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE request: pyxtrlock
From: Leon Weber <leon () leonweber ! de>
Date: 2013-09-25 19:28:46
Message-ID: 20130925192846.GD14841 () dirac ! q-ix ! net
[Download RAW message or body]
Hi,
two security issues were found and fixed in pyxtrlock[1], a lightweight X
screen locker.
• A mis-spelled variable name could cause the program to crash and thus
unlock the screen without requiring a password if the erroneous code
line was reached, which could be achieved by correctly timing multiple
authentication failures.
This was found by Paul Lhussiez and reported to us at
<https://github.com/leonnnn/pyxtrlock/issues/8>
Commit containing the fix, and security release announcement:
<https://github.com/leonnnn/pyxtrlock/commit/297a697ce1543451166a9c85ba1e0dd76fa4ae10>
<https://zombofant.net/blog/2013/8/pyxtrlock-release-0.1-130825>
All versions before release 0.1 or git commit 297a697 are vulnerable.
• Incorrect return value checking after calling XCB library functions
led to the program seemingly starting up normally, but leaving the
keyboard or mouse not actually locked in case the xcb_grab_*()
functions returned an error. There would be no indication for the user
that one of the input devices is not locked.
Commit containing the fix, and security release announcement:
<https://github.com/leonnnn/pyxtrlock/commit/50a8522392809a5688638d074fb9f84264c8b58d>
<https://zombofant.net/blog/2013/9/pyxtrlock-release-0.2-130909>
All versions before release 0.2 or git commit 50a8522 are vulnerable.
Could CVE-IDs be assigned for these, please?
-- Leon. (pyxtrlock maintainer)
[1]: <https://zombofant.net/hacking/pyxtrlock>
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic