Summary: | x11-wm/compiz x11-wm/beryl-core gnome-screensaver password bypass (CVE-2007-3920) | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> | ||||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||||
Status: | RESOLVED FIXED | ||||||||||
Severity: | trivial | CC: | hanno, lkundrak, tsunam | ||||||||
Priority: | High | ||||||||||
Version: | unspecified | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
URL: | http://www.ubuntu.com/usn/usn-537-1 | ||||||||||
Whiteboard: | ~1 [noglsa] | ||||||||||
Package list: | Runtime testing required: | --- | |||||||||
Attachments: |
|
Description
Sune Kloppenborg Jeppesen (RETIRED)
2007-10-24 06:08:12 UTC
Sadly the ubunut announcement doesn't state if this fix is inside the upstream release. Does anyone know details? Created attachment 134216 [details, diff] 05_locking_for_compiz.patch The bug is here: https://launchpad.net/bugs/145123 The patch is attached. Seems like Ubuntu fixed it in wrong place anyway https://bugzilla.redhat.com/show_bug.cgi?id=350271 (In reply to comment #3) > Seems like Ubuntu fixed it in wrong place anyway > https://bugzilla.redhat.com/show_bug.cgi?id=350271 Lubomir, there's no movement on the RH bug. Do you have a patch for compiz? Created attachment 135282 [details, diff]
compiz-0.6.2-CVE-2007-3920.patch
Created attachment 135284 [details, diff]
beryl-core-0.2.1-CVE-2007-3920.patch
Seems I asked too early, Ubuntu fixed this on the compiz side: http://www.ubuntu.com/usn/usn-537-2 Attached are the patch for Compiz, which applies cleanly, and a patch for beryl-core, which needed some changes. Hanno, Tsunam: Can you please test and apply the patch, check with upstream and advise whether Compiz Fusion or any other *compiz* ebuild is affected by this? I've committed compiz-0.6.2 with the patch. Beryl is outdated, I've asked tsunam and removed it, with updates to the corresponding cf-stuff. I think this should be everything? (In reply to comment #8) > I've committed compiz-0.6.2 with the patch. Beryl is outdated, I've asked > tsunam and removed it, with updates to the corresponding cf-stuff. Uhh.. no last-rites? > I think this should be everything? My guess would be that Compiz fusion is also affected, but I didn't dig through the code there. Can you advise on that? No last rites, because mainly berly to compiz-fusion-transition is a renaming of various packages. All beryl stuff has it's equivalent in the compiz/cf-world. About the issue affecting cf: I don't think there is anything, because cf is not a wm/compositemanager itself. It's just a set of plugins and tools around compiz, as this fix affects the core, there shouldn't be any issues left. noglsa then. (In reply to comment #10) > About the issue affecting cf: I don't think there is anything, because cf is > not a wm/compositemanager itself. It's just a set of plugins and tools around > compiz, as this fix affects the core, there shouldn't be any issues left. Out of curiosity: Who provides the functionality then? If cf can replace beryl, it can't be removed totally, can it? |