Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 213940
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Robert Buchholz <rbu@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
gnome-screensaver-CVE-2008-0887.patch gnome-screensaver-CVE-2008-0887.patch patch Robert Buchholz 2008-03-19 19:13 0000 7.78 KB Details | Diff
gnome-screensaver-2.20.0-r2.ebuild gnome-screensaver-2.20.0-r3.ebuild text/plain Gilles Dartiguelongue 2008-03-24 19:18 0000 2.99 KB Details
gnome-screensaver-2.22.0.ebuild gnome-screensaver-2.22.0-r1.ebuild text/plain Gilles Dartiguelongue 2008-03-24 19:19 0000 2.96 KB Details
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 213940 depends on: Show dependency tree
Bug 213940 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2008-03-19 19:09 0000 
Josh Bressers writes:

We received a bug report regarding a flaw in the manner which
gnome-screensaver behaves when using a network authentication scheme, and
the network vanishes.

The testing was done using NIS.

Here is the reproducer reported via our bug:

    Steps to Reproduce:

    1. Configure machine to be NIS server per:
       http://kbase.redhat.com/faq/FAQ_43_5684.shtm
    2. Configure a NIS client using system-config-authentication
    3. Login to GNOME desktop with NIS-only user.
    4. Lock the screen
    5. Stop the NIS server (customer disconnected network cable in his
       test)
    6. Press return in lock window.  Press cancel.
    7. Screen unlocks with no passwd prompt.

CVE-2008-0887 has been assigned to this issue.

------- Comment #1 From Robert Buchholz 2008-03-19 19:12:09 0000 ------- 
Mart, Saleem, this issue is under embargo until 2008-04-02. Do not commit
anything to CVS until this date. Please prepare an updated ebuild and attach it
to this bug, we will do prestable testing here. Thanks.

------- Comment #2 From Robert Buchholz 2008-03-19 19:13:38 0000 ------- 
Created an attachment (id=146599) [details]
gnome-screensaver-CVE-2008-0887.patch

upstream patch

------- Comment #3 From Gilles Dartiguelongue 2008-03-24 19:18:44 0000 ------- 
Created an attachment (id=147162) [details]
gnome-screensaver-2.20.0-r3.ebuild

here is the ebuild for gnome 2.20

------- Comment #4 From Gilles Dartiguelongue 2008-03-24 19:19:29 0000 ------- 
Created an attachment (id=147163) [details]
gnome-screensaver-2.22.0-r1.ebuild

and the one for gnome 2.22 (which is still masked)

------- Comment #5 From Robert Buchholz 2008-03-24 19:26:40 0000 ------- 
Arch Security Liaisons, please test the attached ebuild and report it stable on
this bug.

=gnome-extra/gnome-screensaver-2.20.0-r3
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 release sparc x86"

CC'ing current Liaisons:
   alpha : ferdy
   amd64 : welp
    hppa : jer
     ppc : dertobi123
   ppc64 : corsair
 release : pva
   sparc : fmccor
     x86 : opfer

------- Comment #6 From Ferris McCormick 2008-03-25 12:56:47 0000 ------- 
Sparc seems to be OK.

------- Comment #7 From Christian Faulhammer 2008-03-25 20:01:23 0000 ------- 
x86 happy saving lots of screens

------- Comment #8 From Jeroen Roovers 2008-03-25 20:46:35 0000 ------- 
OK for HPPA.

------- Comment #9 From Markus Rothe 2008-03-26 07:30:18 0000 ------- 
looks good on ppc64

------- Comment #10 From Robert Buchholz 2008-04-01 17:18:41 0000 ------- 
Gilles &co, this will go public tomorrow at 14:00 UTC. You can commit after
that date with the stable keywords gathered in this bug.

------- Comment #11 From Robert Buchholz 2008-04-02 12:47:26 0000 ------- 
public a little earlier, please commit.

------- Comment #12 From Gilles Dartiguelongue 2008-04-02 14:05:59 0000 ------- 
ebuilds are in CVS.

------- Comment #13 From Robert Buchholz 2008-04-02 14:13:12 0000 ------- 
Arches, please test and mark stable:
=gnome-extra/gnome-screensaver-2.20.0-r3
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 release sparc x86"
Already stabled : "hppa ppc64 sparc x86"
Missing keywords: "alpha amd64 ia64 ppc release"

------- Comment #14 From Raúl Porcel 2008-04-02 18:40:59 0000 ------- 
alpha/ia64 stable

------- Comment #15 From Markus Meier 2008-04-02 19:33:53 0000 ------- 
amd64 stable

------- Comment #16 From Tobias Scherbaum 2008-04-03 20:12:55 0000 ------- 
ppc stable

------- Comment #17 From Robert Buchholz 2008-04-03 22:43:13 0000 ------- 
GLSA vote: YES

------- Comment #18 From Peter Volkov 2008-04-04 05:21:08 0000 ------- 
Fixed in release snapshot.

------- Comment #19 From Raphael Marichez 2008-04-09 17:17:55 0000 ------- 
Surprisingly that sounds very similar to
http://www.gentoo.org/security/en/glsa/glsa-200705-14.xml

Voting Yes. Let's do it

------- Comment #20 From Pierre-Yves Rofes 2008-05-09 14:28:41 0000 ------- 
This was GLSA 200804-12
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug