176584 2007-04-30 14:35 0000 x11-misc/xscreensaver Authentication flaw (CVE-2007-1859) 2007-11-20 09:22:11 0000 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://secunia.com/advisories/25065/ B? [glsa] jaervosz P2 normal --- 1 jaervosz@gentoo.org security@gentoo.org jaervosz@gentoo.org 2007-04-30 14:35:09 0000 I'm not sure this is public yet. From post on Vendor-sec: According to Ray Strode this is due to a flaw in the way xscreensaver parses a call to getpwuid(getuid()), a local user can unlock the screen using any password. It seems the call to getpwuid can return NULL in this instance. I'm attaching Ray's patch. This is fixed in 5.02 but a quick search of the Changelog didn't mention this explicitly. jaervosz@gentoo.org 2007-04-30 14:35:30 0000 drac please advise. ssuominen@gentoo.org 2007-05-01 13:09:55 0000 Could you attach the patch mentioned? ssuominen@gentoo.org 2007-05-01 13:48:56 0000 I'm working on upgrading xscreensaver as we speak but I would like to verify it really fixes this issue. jaervosz@gentoo.org 2007-05-01 14:16:15 0000 Created an attachment (id=117844) xscreensaver-4.18-check-for-null-passwd-entry.patch ssuominen@gentoo.org 2007-05-01 14:26:33 0000 (In reply to comment #4) > Created an attachment (id=117844) [edit] > xscreensaver-4.18-check-for-null-passwd-entry.patch > Confirming it's fixed in 5.02. jaervosz@gentoo.org 2007-05-01 14:39:36 0000 Samuli, is 5.x ready for stable marking? Also I did you find any detailed public information about this yet? ssuominen@gentoo.org 2007-05-01 15:03:58 0000 (In reply to comment #6) > Samuli, is 5.x ready for stable marking? 5.02 fixing this issue is ready to go stable, and bug 167688 should be marked duplicate of it. > > Also did you find any detailed public information about this yet? > Couldn't find any information about it. jaervosz@gentoo.org 2007-05-01 15:27:19 0000 Calling arch security liaisons. Please test and mark stable. Bug #167688 will be duped once this goes public. I guess alpha and mips can unCC themselves from it though. corsair@gentoo.org 2007-05-01 17:50:43 0000 xscreensaver-5.01-nsfw.patch does not apply: * Applying xscreensaver-5.01-nsfw.patch ... * Failed Patch: xscreensaver-5.01-nsfw.patch ! * ( /usr/portage/x11-misc/xscreensaver/files/xscreensaver-5.01-nsfw.patch ) * * Include in your bugreport the contents of: * * /var/tmp/paludis/x11-misc/xscreensaver-5.02/temp//xscreensaver-5.01-nsfw.patch-17175.out jaervosz@gentoo.org 2007-05-01 18:06:28 0000 Back to ebuild status to get this fixed. ssuominen@gentoo.org 2007-05-01 18:45:05 0000 (In reply to comment #10) > Back to ebuild status to get this fixed. > Oops, overlooked patch used for USE="-offensive". Fixed patch is in CVS, thanks Corsair for not using offensive material. :-) jaervosz@gentoo.org 2007-05-01 18:48:26 0000 Back to stable again then :) corsair@gentoo.org 2007-05-02 08:04:48 0000 ppc64 stable gustavoz@gentoo.org 2007-05-02 13:29:07 0000 sparc stable. beandog@gentoo.org 2007-05-02 14:09:40 0000 amd64 stable kloeri@gentoo.org 2007-05-02 18:59:38 0000 Alpha stable. tsunam@gentoo.org 2007-05-03 02:27:10 0000 I'll get to it tomorrow, I just got back and need to recover from the trip killerfox@gentoo.org 2007-05-03 04:49:35 0000 I'm not able to do the security stuff until 11th of May. For more information look at my devaway. Adding JeR to all security relevant bugs. ssuominen@gentoo.org 2007-05-03 13:10:45 0000 *** Bug 176913 has been marked as a duplicate of this bug. *** jaervosz@gentoo.org 2007-05-03 18:26:36 0000 Opening since this is public now and replacing arch security liasons with arches. dertobi123@gentoo.org 2007-05-03 19:09:20 0000 ppc stable armin76@gentoo.org 2007-05-03 20:15:19 0000 ia64 + x86 stable and removing security liaisons. jer@gentoo.org 2007-05-05 05:22:07 0000 Stable for HPPA. jaervosz@gentoo.org 2007-05-05 06:35:44 0000 This one is ready for GLSA vote. I vote YES. py@gentoo.org 2007-05-08 10:39:41 0000 vote YES too. falco@gentoo.org 2007-05-08 15:30:49 0000 s/A/B since it's under certain configurations only jaervosz@gentoo.org 2007-05-19 22:58:27 0000 GLSA 200705-14 kumba@gentoo.org 2007-11-20 05:30:27 0000 mips has 5.03 stable, per Bug #195253. 117844 2007-05-01 14:16 0000 xscreensaver-4.18-check-for-null-passwd-entry.patch xscreensaver-4.18-check-for-null-passwd-entry.patch text/plain LS0tIHhzY3JlZW5zYXZlci00LjE4L2RyaXZlci9sb2NrLmMuY2hlY2stZm9yLW51bGwtcGFzc3dk LWVudHJ5CTIwMDctMDQtMTggMTY6MjU6MzMuMDAwMDAwMDAwIC0wNDAwCisrKyB4c2NyZWVuc2F2 ZXItNC4xOC9kcml2ZXIvbG9jay5jCTIwMDctMDQtMTggMTY6MjY6MDEuMDAwMDAwMDAwIC0wNDAw CkBAIC0xMjg5LDcgKzEyODksNyBAQAogICAgICAgKi8KICAgICAgIHN0cnVjdCBwYXNzd2QgKnB3 ID0gZ2V0cHd1aWQgKGdldHVpZCAoKSk7CiAgICAgICBjaGFyICpkID0gRGlzcGxheVN0cmluZyAo c2ktPmRweSk7Ci0gICAgICBjaGFyICp1ID0gKHB3LT5wd19uYW1lID8gcHctPnB3X25hbWUgOiAi Pz8/Iik7CisgICAgICBjaGFyICp1ID0gKHB3ICYmIHB3LT5wd19uYW1lID8gcHctPnB3X25hbWUg OiAiPz8/Iik7CiAgICAgICBpbnQgb3B0ID0gMDsKICAgICAgIGludCBmYWMgPSAwOwogCg==