Bug 176584 - x11-misc/xscreensaver Authentication flaw (CVE-2007-1859)
Bug#: 176584 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: jaervosz@gentoo.org
Component: Vulnerabilities
URL:  http://secunia.com/advisories/25065/
Summary: x11-misc/xscreensaver Authentication flaw (CVE-2007-1859)
Keywords:  
Status Whiteboard: B? [glsa] jaervosz
Opened: 2007-04-30 14:35 0000
Description:   Opened: 2007-04-30 14:35 0000 
I'm not sure this is public yet. From post on Vendor-sec:

According to Ray Strode this is due to a flaw in the way xscreensaver
parses a call to getpwuid(getuid()), a local user can unlock the screen
using any password.  It seems the call to getpwuid can return NULL in this
instance.  I'm attaching Ray's patch.

This is fixed in 5.02 but a quick search of the Changelog didn't mention this
explicitly.

------- Comment #1 From Sune Kloppenborg Jeppesen 2007-04-30 14:35:30 0000 ------- 
drac please advise.

------- Comment #2 From Samuli Suominen 2007-05-01 13:09:55 0000 ------- 
Could you attach the patch mentioned?

------- Comment #3 From Samuli Suominen 2007-05-01 13:48:56 0000 ------- 
I'm working on upgrading xscreensaver as we speak but I would like to verify it
really fixes this issue.

------- Comment #4 From Sune Kloppenborg Jeppesen 2007-05-01 14:16:15 0000 ------- 
Created an attachment (id=117844) [details]
xscreensaver-4.18-check-for-null-passwd-entry.patch

------- Comment #5 From Samuli Suominen 2007-05-01 14:26:33 0000 ------- 
(In reply to comment #4)
> Created an attachment (id=117844) [edit] [details]
> xscreensaver-4.18-check-for-null-passwd-entry.patch
> 

Confirming it's fixed in 5.02.

------- Comment #6 From Sune Kloppenborg Jeppesen 2007-05-01 14:39:36 0000 ------- 
Samuli, is 5.x ready for stable marking?

Also I did you find any detailed public information about this yet?

------- Comment #7 From Samuli Suominen 2007-05-01 15:03:58 0000 ------- 
(In reply to comment #6)
> Samuli, is 5.x ready for stable marking?


5.02 fixing this issue is ready to go stable, and bug 167688 should be marked
duplicate of it.

> 
> Also did you find any detailed public information about this yet?
> 

Couldn't find any information about it.

------- Comment #8 From Sune Kloppenborg Jeppesen 2007-05-01 15:27:19 0000 ------- 
Calling arch security liaisons. Please test and mark stable.

Bug #167688 will be duped once this goes public. I guess alpha and mips can
unCC themselves from it though.

------- Comment #9 From Markus Rothe 2007-05-01 17:50:43 0000 ------- 
xscreensaver-5.01-nsfw.patch does not apply:


* Applying xscreensaver-5.01-nsfw.patch ...

 * Failed Patch: xscreensaver-5.01-nsfw.patch !
 *  ( /usr/portage/x11-misc/xscreensaver/files/xscreensaver-5.01-nsfw.patch )
 * 
 * Include in your bugreport the contents of:
 * 
 *  
/var/tmp/paludis/x11-misc/xscreensaver-5.02/temp//xscreensaver-5.01-nsfw.patch-17175.out

------- Comment #10 From Sune Kloppenborg Jeppesen 2007-05-01 18:06:28 0000 ------- 
Back to ebuild status to get this fixed.

------- Comment #11 From Samuli Suominen 2007-05-01 18:45:05 0000 ------- 
(In reply to comment #10)
> Back to ebuild status to get this fixed.
> 

Oops, overlooked patch used for USE="-offensive". Fixed patch is in CVS, thanks
Corsair for not using offensive material. :-)

------- Comment #12 From Sune Kloppenborg Jeppesen 2007-05-01 18:48:26 0000 ------- 
Back to stable again then :)

------- Comment #13 From Markus Rothe 2007-05-02 08:04:48 0000 ------- 
ppc64 stable

------- Comment #14 From Gustavo Zacarias (RETIRED) 2007-05-02 13:29:07 0000 ------- 
sparc stable.

------- Comment #15 From Steve Dibb 2007-05-02 14:09:40 0000 ------- 
amd64 stable

------- Comment #16 From Bryan Østergaard (RETIRED) 2007-05-02 18:59:38 0000 ------- 
Alpha stable.

------- Comment #17 From Joshua Jackson 2007-05-03 02:27:10 0000 ------- 
I'll get to it tomorrow, I just got back and need to recover from the trip

------- Comment #18 From René Nussbaumer 2007-05-03 04:49:35 0000 ------- 
I'm not able to do the security stuff until 11th of May. For more information
look at my devaway. Adding JeR to all security relevant bugs.

------- Comment #19 From Samuli Suominen 2007-05-03 13:10:45 0000 ------- 
*** Bug 176913 has been marked as a duplicate of this bug. ***

------- Comment #20 From Sune Kloppenborg Jeppesen 2007-05-03 18:26:36 0000 ------- 
Opening since this is public now and replacing arch security liasons with
arches.

------- Comment #21 From Tobias Scherbaum 2007-05-03 19:09:20 0000 ------- 
ppc stable

------- Comment #22 From Raúl Porcel 2007-05-03 20:15:19 0000 ------- 
ia64 + x86 stable and removing security liaisons.

------- Comment #23 From Jeroen Roovers 2007-05-05 05:22:07 0000 ------- 
Stable for HPPA.

------- Comment #24 From Sune Kloppenborg Jeppesen 2007-05-05 06:35:44 0000 ------- 
This one is ready for GLSA vote. I vote YES.

------- Comment #25 From Pierre-Yves Rofes 2007-05-08 10:39:41 0000 ------- 
vote YES too.

------- Comment #26 From Raphael Marichez 2007-05-08 15:30:49 0000 ------- 
s/A/B since it's under certain configurations only

------- Comment #27 From Sune Kloppenborg Jeppesen 2007-05-19 22:58:27 0000 ------- 
GLSA 200705-14

------- Comment #28 From Joshua Kinard 2007-11-20 05:30:27 0000 ------- 
mips has 5.03 stable, per Bug #195253.