[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE request: pyxtrlock
From:       Leon Weber <leon () leonweber ! de>
Date:       2013-09-25 19:28:46
Message-ID: 20130925192846.GD14841 () dirac ! q-ix ! net
[Download RAW message or body]


Hi,

two security issues were found and fixed in pyxtrlock[1], a lightweight X
screen locker.

• A mis-spelled variable name could cause the program to crash and thus
  unlock the screen without requiring a password if the erroneous code
  line was reached, which could be achieved by correctly timing multiple
  authentication failures.

  This was found by Paul Lhussiez and reported to us at

      <https://github.com/leonnnn/pyxtrlock/issues/8>

  Commit containing the fix, and security release announcement:

      <https://github.com/leonnnn/pyxtrlock/commit/297a697ce1543451166a9c85ba1e0dd76fa4ae10>
      <https://zombofant.net/blog/2013/8/pyxtrlock-release-0.1-130825>

  All versions before release 0.1 or git commit 297a697 are vulnerable.

• Incorrect return value checking after calling XCB library functions
  led to the program seemingly starting up normally, but leaving the
  keyboard or mouse not actually locked in case the xcb_grab_*()
  functions returned an error. There would be no indication for the user
  that one of the input devices is not locked.

  Commit containing the fix, and security release announcement:

      <https://github.com/leonnnn/pyxtrlock/commit/50a8522392809a5688638d074fb9f84264c8b58d>
      <https://zombofant.net/blog/2013/9/pyxtrlock-release-0.2-130909>

  All versions before release 0.2 or git commit 50a8522 are vulnerable.

Could CVE-IDs be assigned for these, please?

    -- Leon.        (pyxtrlock maintainer)

[1]: <https://zombofant.net/hacking/pyxtrlock>

["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]