176584 – x11-misc/xscreensaver Authentication flaw (CVE-2007-1859)

Bug 176584 - x11-misc/xscreensaver Authentication flaw (CVE-2007-1859)

Summary: x11-misc/xscreensaver Authentication flaw (CVE-2007-1859)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/25065/
Whiteboard:	B? [glsa] jaervosz
Keywords:

Duplicates (1):	176913 (view as bug list)
Depends on:
Blocks:

Reported:	2007-04-30 14:35 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified:	2007-11-20 09:22 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
xscreensaver-4.18-check-for-null-passwd-entry.patch (xscreensaver-4.18-check-for-null-passwd-entry.patch,451 bytes, patch) 2007-05-01 14:16 UTC, Sune Kloppenborg Jeppesen (RETIRED)	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-04-30 14:35:09 UTC

I'm not sure this is public yet. From post on Vendor-sec:

According to Ray Strode this is due to a flaw in the way xscreensaver
parses a call to getpwuid(getuid()), a local user can unlock the screen
using any password.  It seems the call to getpwuid can return NULL in this
instance.  I'm attaching Ray's patch.

This is fixed in 5.02 but a quick search of the Changelog didn't mention this explicitly.

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-04-30 14:35:30 UTC

drac please advise.

Comment 2 Samuli Suominen (RETIRED) gentoo-dev

2007-05-01 13:09:55 UTC

Could you attach the patch mentioned?

Comment 3 Samuli Suominen (RETIRED) gentoo-dev

2007-05-01 13:48:56 UTC

I'm working on upgrading xscreensaver as we speak but I would like to verify it really fixes this issue.

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-05-01 14:16:15 UTC

Created attachment 117844 [details, diff]
xscreensaver-4.18-check-for-null-passwd-entry.patch

Comment 5 Samuli Suominen (RETIRED) gentoo-dev

2007-05-01 14:26:33 UTC

(In reply to comment #4)
> Created an attachment (id=117844) [edit]
> xscreensaver-4.18-check-for-null-passwd-entry.patch
> 

Confirming it's fixed in 5.02.

Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-05-01 14:39:36 UTC

Samuli, is 5.x ready for stable marking?

Also I did you find any detailed public information about this yet?

Comment 7 Samuli Suominen (RETIRED) gentoo-dev

2007-05-01 15:03:58 UTC

(In reply to comment #6)
> Samuli, is 5.x ready for stable marking?


5.02 fixing this issue is ready to go stable, and bug 167688 should be marked duplicate of it.

> 
> Also did you find any detailed public information about this yet?
> 

Couldn't find any information about it.

Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-05-01 15:27:19 UTC

Calling arch security liaisons. Please test and mark stable.

Bug #167688 will be duped once this goes public. I guess alpha and mips can unCC themselves from it though.

Comment 9 Markus Rothe (RETIRED) gentoo-dev

2007-05-01 17:50:43 UTC

xscreensaver-5.01-nsfw.patch does not apply:


* Applying xscreensaver-5.01-nsfw.patch ...

 * Failed Patch: xscreensaver-5.01-nsfw.patch !
 *  ( /usr/portage/x11-misc/xscreensaver/files/xscreensaver-5.01-nsfw.patch )
 * 
 * Include in your bugreport the contents of:
 * 
 *   /var/tmp/paludis/x11-misc/xscreensaver-5.02/temp//xscreensaver-5.01-nsfw.patch-17175.out

Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-05-01 18:06:28 UTC

Back to ebuild status to get this fixed.

Comment 11 Samuli Suominen (RETIRED) gentoo-dev

2007-05-01 18:45:05 UTC

(In reply to comment #10)
> Back to ebuild status to get this fixed.
> 

Oops, overlooked patch used for USE="-offensive". Fixed patch is in CVS, thanks Corsair for not using offensive material. :-)

Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-05-01 18:48:26 UTC

Back to stable again then :)

Comment 13 Markus Rothe (RETIRED) gentoo-dev

2007-05-02 08:04:48 UTC

ppc64 stable

Comment 14 Gustavo Zacarias (RETIRED) gentoo-dev

2007-05-02 13:29:07 UTC

sparc stable.

Comment 15 Steve Dibb (RETIRED) gentoo-dev

2007-05-02 14:09:40 UTC

amd64 stable

Comment 16 Bryan Østergaard (RETIRED) gentoo-dev

2007-05-02 18:59:38 UTC

Alpha stable.

Comment 17 Joshua Jackson (RETIRED) gentoo-dev

2007-05-03 02:27:10 UTC

I'll get to it tomorrow, I just got back and need to recover from the trip

Comment 18 René Nussbaumer (RETIRED) gentoo-dev

2007-05-03 04:49:35 UTC

I'm not able to do the security stuff until 11th of May. For more information look at my devaway. Adding JeR to all security relevant bugs.

Comment 19 Samuli Suominen (RETIRED) gentoo-dev

2007-05-03 13:10:45 UTC

*** Bug 176913 has been marked as a duplicate of this bug. ***

Comment 20 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-05-03 18:26:36 UTC

Opening since this is public now and replacing arch security liasons with arches.

Comment 21 Tobias Scherbaum (RETIRED) gentoo-dev

2007-05-03 19:09:20 UTC

ppc stable

Comment 22 Raúl Porcel (RETIRED) gentoo-dev

2007-05-03 20:15:19 UTC

ia64 + x86 stable and removing security liaisons.

Comment 23 Jeroen Roovers (RETIRED) gentoo-dev

2007-05-05 05:22:07 UTC

Stable for HPPA.

Comment 24 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-05-05 06:35:44 UTC

This one is ready for GLSA vote. I vote YES.

Comment 25 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-05-08 10:39:41 UTC

vote YES too.

Comment 26 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-05-08 15:30:49 UTC

s/A/B since it's under certain configurations only

Comment 27 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-05-19 22:58:27 UTC

GLSA 200705-14

Comment 28 Joshua Kinard gentoo-dev

2007-11-20 05:30:27 UTC

mips has 5.03 stable, per Bug #195253.