213940 – (CVE-2008-0887) gnome-extra/gnome-screensaver <2.20.0-r3 Network authentication lock loss (CVE-2008-0887)

Bug 213940 (CVE-2008-0887) - gnome-extra/gnome-screensaver <2.20.0-r3 Network authentication lock loss (CVE-2008-0887)

Summary: gnome-extra/gnome-screensaver <2.20.0-r3 Network authentication lock loss (CV...

Status:	RESOLVED FIXED

Alias:	CVE-2008-0887

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2008-03-19 19:09 UTC by Robert Buchholz (RETIRED)
Modified:	2008-05-09 14:28 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
gnome-screensaver-CVE-2008-0887.patch (gnome-screensaver-CVE-2008-0887.patch,7.78 KB, patch) 2008-03-19 19:13 UTC, Robert Buchholz (RETIRED)	no flags	Details \| Diff
gnome-screensaver-2.20.0-r3.ebuild (gnome-screensaver-2.20.0-r2.ebuild,2.99 KB, text/plain) 2008-03-24 19:18 UTC, Gilles Dartiguelongue (RETIRED)	no flags	Details
gnome-screensaver-2.22.0-r1.ebuild (gnome-screensaver-2.22.0.ebuild,2.96 KB, text/plain) 2008-03-24 19:19 UTC, Gilles Dartiguelongue (RETIRED)	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Buchholz (RETIRED) gentoo-dev

2008-03-19 19:09:17 UTC

Josh Bressers writes:

We received a bug report regarding a flaw in the manner which
gnome-screensaver behaves when using a network authentication scheme, and
the network vanishes.

The testing was done using NIS.

Here is the reproducer reported via our bug:

    Steps to Reproduce:

    1. Configure machine to be NIS server per:
       http://kbase.redhat.com/faq/FAQ_43_5684.shtm
    2. Configure a NIS client using system-config-authentication
    3. Login to GNOME desktop with NIS-only user.
    4. Lock the screen
    5. Stop the NIS server (customer disconnected network cable in his
       test)
    6. Press return in lock window.  Press cancel.
    7. Screen unlocks with no passwd prompt.

CVE-2008-0887 has been assigned to this issue.

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2008-03-19 19:12:09 UTC

Mart, Saleem, this issue is under embargo until 2008-04-02. Do not commit anything to CVS until this date. Please prepare an updated ebuild and attach it to this bug, we will do prestable testing here. Thanks.

Comment 2 Robert Buchholz (RETIRED) gentoo-dev

2008-03-19 19:13:38 UTC

Created attachment 146599 [details, diff]
gnome-screensaver-CVE-2008-0887.patch

upstream patch

Comment 3 Gilles Dartiguelongue (RETIRED) gentoo-dev

2008-03-24 19:18:44 UTC

Created attachment 147162 [details]
gnome-screensaver-2.20.0-r3.ebuild

here is the ebuild for gnome 2.20

Comment 4 Gilles Dartiguelongue (RETIRED) gentoo-dev

2008-03-24 19:19:29 UTC

Created attachment 147163 [details]
gnome-screensaver-2.22.0-r1.ebuild

and the one for gnome 2.22 (which is still masked)

Comment 5 Robert Buchholz (RETIRED) gentoo-dev

2008-03-24 19:26:40 UTC

Arch Security Liaisons, please test the attached ebuild and report it stable on this bug.

=gnome-extra/gnome-screensaver-2.20.0-r3
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 release sparc x86"

CC'ing current Liaisons:
   alpha : ferdy
   amd64 : welp
    hppa : jer
     ppc : dertobi123
   ppc64 : corsair
 release : pva
   sparc : fmccor
     x86 : opfer

Comment 6 Ferris McCormick (RETIRED) gentoo-dev

2008-03-25 12:56:47 UTC

Sparc seems to be OK.

Comment 7 Christian Faulhammer (RETIRED) gentoo-dev

2008-03-25 20:01:23 UTC

x86 happy saving lots of screens

Comment 8 Jeroen Roovers (RETIRED) gentoo-dev

2008-03-25 20:46:35 UTC

OK for HPPA.

Comment 9 Markus Rothe (RETIRED) gentoo-dev

2008-03-26 07:30:18 UTC

looks good on ppc64

Comment 10 Robert Buchholz (RETIRED) gentoo-dev

2008-04-01 17:18:41 UTC

Gilles &co, this will go public tomorrow at 14:00 UTC. You can commit after that date with the stable keywords gathered in this bug.

Comment 11 Robert Buchholz (RETIRED) gentoo-dev

2008-04-02 12:47:26 UTC

public a little earlier, please commit.

Comment 12 Gilles Dartiguelongue (RETIRED) gentoo-dev

2008-04-02 14:05:59 UTC

ebuilds are in CVS.

Comment 13 Robert Buchholz (RETIRED) gentoo-dev

2008-04-02 14:13:12 UTC

Arches, please test and mark stable:
=gnome-extra/gnome-screensaver-2.20.0-r3
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 release sparc x86"
Already stabled : "hppa ppc64 sparc x86"
Missing keywords: "alpha amd64 ia64 ppc release"

Comment 14 Raúl Porcel (RETIRED) gentoo-dev

2008-04-02 18:40:59 UTC

alpha/ia64 stable

Comment 15 Markus Meier gentoo-dev

2008-04-02 19:33:53 UTC

amd64 stable

Comment 16 Tobias Scherbaum (RETIRED) gentoo-dev

2008-04-03 20:12:55 UTC

ppc stable

Comment 17 Robert Buchholz (RETIRED) gentoo-dev

2008-04-03 22:43:13 UTC

GLSA vote: YES

Comment 18 Peter Volkov (RETIRED) gentoo-dev

2008-04-04 05:21:08 UTC

Fixed in release snapshot.

Comment 19 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2008-04-09 17:17:55 UTC

Surprisingly that sounds very similar to http://www.gentoo.org/security/en/glsa/glsa-200705-14.xml

Voting Yes. Let's do it

Comment 20 Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-05-09 14:28:41 UTC

This was GLSA 200804-12