Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 176584

Summary: x11-misc/xscreensaver Authentication flaw (CVE-2007-1859)
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/25065/
Whiteboard: B? [glsa] jaervosz
Package list:
Runtime testing required: ---
Attachments:
Description Flags
xscreensaver-4.18-check-for-null-passwd-entry.patch none

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-04-30 14:35:09 UTC
I'm not sure this is public yet. From post on Vendor-sec:

According to Ray Strode this is due to a flaw in the way xscreensaver
parses a call to getpwuid(getuid()), a local user can unlock the screen
using any password.  It seems the call to getpwuid can return NULL in this
instance.  I'm attaching Ray's patch.

This is fixed in 5.02 but a quick search of the Changelog didn't mention this explicitly.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-04-30 14:35:30 UTC
drac please advise.
Comment 2 Samuli Suominen (RETIRED) gentoo-dev 2007-05-01 13:09:55 UTC
Could you attach the patch mentioned?
Comment 3 Samuli Suominen (RETIRED) gentoo-dev 2007-05-01 13:48:56 UTC
I'm working on upgrading xscreensaver as we speak but I would like to verify it really fixes this issue.
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-01 14:16:15 UTC
Created attachment 117844 [details, diff]
xscreensaver-4.18-check-for-null-passwd-entry.patch
Comment 5 Samuli Suominen (RETIRED) gentoo-dev 2007-05-01 14:26:33 UTC
(In reply to comment #4)
> Created an attachment (id=117844) [edit]
> xscreensaver-4.18-check-for-null-passwd-entry.patch
> 

Confirming it's fixed in 5.02.
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-01 14:39:36 UTC
Samuli, is 5.x ready for stable marking?

Also I did you find any detailed public information about this yet?
Comment 7 Samuli Suominen (RETIRED) gentoo-dev 2007-05-01 15:03:58 UTC
(In reply to comment #6)
> Samuli, is 5.x ready for stable marking?


5.02 fixing this issue is ready to go stable, and bug 167688 should be marked duplicate of it.

> 
> Also did you find any detailed public information about this yet?
> 

Couldn't find any information about it.
Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-01 15:27:19 UTC
Calling arch security liaisons. Please test and mark stable.

Bug #167688 will be duped once this goes public. I guess alpha and mips can unCC themselves from it though.
Comment 9 Markus Rothe (RETIRED) gentoo-dev 2007-05-01 17:50:43 UTC
xscreensaver-5.01-nsfw.patch does not apply:


* Applying xscreensaver-5.01-nsfw.patch ...

 * Failed Patch: xscreensaver-5.01-nsfw.patch !
 *  ( /usr/portage/x11-misc/xscreensaver/files/xscreensaver-5.01-nsfw.patch )
 * 
 * Include in your bugreport the contents of:
 * 
 *   /var/tmp/paludis/x11-misc/xscreensaver-5.02/temp//xscreensaver-5.01-nsfw.patch-17175.out
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-01 18:06:28 UTC
Back to ebuild status to get this fixed.
Comment 11 Samuli Suominen (RETIRED) gentoo-dev 2007-05-01 18:45:05 UTC
(In reply to comment #10)
> Back to ebuild status to get this fixed.
> 

Oops, overlooked patch used for USE="-offensive". Fixed patch is in CVS, thanks Corsair for not using offensive material. :-)
Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-01 18:48:26 UTC
Back to stable again then :)
Comment 13 Markus Rothe (RETIRED) gentoo-dev 2007-05-02 08:04:48 UTC
ppc64 stable
Comment 14 Gustavo Zacarias (RETIRED) gentoo-dev 2007-05-02 13:29:07 UTC
sparc stable.
Comment 15 Steve Dibb (RETIRED) gentoo-dev 2007-05-02 14:09:40 UTC
amd64 stable
Comment 16 Bryan Østergaard (RETIRED) gentoo-dev 2007-05-02 18:59:38 UTC
Alpha stable.
Comment 17 Joshua Jackson (RETIRED) gentoo-dev 2007-05-03 02:27:10 UTC
I'll get to it tomorrow, I just got back and need to recover from the trip
Comment 18 René Nussbaumer (RETIRED) gentoo-dev 2007-05-03 04:49:35 UTC
I'm not able to do the security stuff until 11th of May. For more information look at my devaway. Adding JeR to all security relevant bugs.
Comment 19 Samuli Suominen (RETIRED) gentoo-dev 2007-05-03 13:10:45 UTC
*** Bug 176913 has been marked as a duplicate of this bug. ***
Comment 20 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-03 18:26:36 UTC
Opening since this is public now and replacing arch security liasons with arches.
Comment 21 Tobias Scherbaum (RETIRED) gentoo-dev 2007-05-03 19:09:20 UTC
ppc stable
Comment 22 Raúl Porcel (RETIRED) gentoo-dev 2007-05-03 20:15:19 UTC
ia64 + x86 stable and removing security liaisons.
Comment 23 Jeroen Roovers (RETIRED) gentoo-dev 2007-05-05 05:22:07 UTC
Stable for HPPA.
Comment 24 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-05 06:35:44 UTC
This one is ready for GLSA vote. I vote YES.
Comment 25 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-05-08 10:39:41 UTC
vote YES too.
Comment 26 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-05-08 15:30:49 UTC
s/A/B since it's under certain configurations only
Comment 27 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-19 22:58:27 UTC
GLSA 200705-14
Comment 28 Joshua Kinard gentoo-dev 2007-11-20 05:30:27 UTC
mips has 5.03 stable, per Bug #195253.