Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 440776 (CVE-2012-4524) - <x11-misc/xlockmore-5.41: Screensaver crash (screen lock bypass) when 'dclock' mode used (CVE-2012-4524)
Summary: <x11-misc/xlockmore-5.41: Screensaver crash (screen lock bypass) when 'dclock...
Status: RESOLVED FIXED
Alias: CVE-2012-4524
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-11-01 16:16 UTC by Agostino Sarubbo
Modified: 2013-09-02 09:33 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-11-01 16:16:29 UTC 
From https://bugzilla.redhat.com/show_bug.cgi?id=867908 :

A denial of service flaw was found in the way xlockmore, X screen lock and screen saver, performed 
passing arguments to underlying localtime() call, when the 'dlock' mode was used. An attacker could 
use this flaw to potentially obtain unauthorized access to screen / graphical session, previously 
locked by another user / victim.

CVE request (containing also patch proposal):
[1] http://www.openwall.com/lists/oss-security/2012/10/17/10
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2012-11-02 16:28:36 UTC 
5.41
  ...
  dclock: fix for segmentation violation noticed on NetBSD and now more Y2038
    safe thanks to Ignatios Souvatzis <is AT netbsd.org>.
  ...

Arch teams, please test and mark stable:
=x11-misc/xlockmore-5.41
Stable KEYWORDS : alpha amd64 hppa ppc ppc64 sparc x86
Comment 2 Anthony Basile gentoo-dev 2012-11-02 22:46:57 UTC 
stable ppc ppc64
Comment 3 Agostino Sarubbo gentoo-dev 2012-11-03 15:35:21 UTC 
amd64 stable
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2012-11-03 17:00:43 UTC 
Stable for HPPA.
Comment 5 Raúl Porcel (RETIRED) gentoo-dev 2012-11-11 16:35:37 UTC 
alpha/sparc/x86 stable
Comment 6 Sean Amoss (RETIRED) gentoo-dev Security 2012-11-12 11:43:19 UTC 
Thanks, everyone.

GLSA vote: yes.
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2012-12-16 22:04:32 UTC 
Vote: yes, GLSA request created.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2013-09-02 09:33:05 UTC 
This issue was resolved and addressed in
 GLSA 201309-03 at http://security.gentoo.org/glsa/glsa-201309-03.xml
by GLSA coordinator Sergey Popov (pinkbyte).