|Summary:||x11-wm/compiz x11-wm/beryl-core gnome-screensaver password bypass (CVE-2007-3920)|
|Product:||Gentoo Security||Reporter:||Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||trivial||CC:||hanno, lkundrak, tsunam|
|Package list:||Runtime testing required:||---|
Description Sune Kloppenborg Jeppesen (RETIRED) 2007-10-24 06:08:12 UTC
Since we don't ship a stable compiz I'm not to sure about this one but it would likely be best if we get it fixed. --- =========================================================== Ubuntu Security Notice USN-537-1 October 23, 2007 gnome-screensaver vulnerability CVE-2007-3920 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 7.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 7.10: gnome-screensaver 2.20.0-0ubuntu4.2 After a standard system upgrade you need to restart your session to affect the necessary changes. Details follow: Jens Askengren discovered that gnome-screensaver became confused when running under Compiz, and could lose keyboard lock focus. A local attacker could exploit this to bypass the user's locked screen saver.
Comment 1 Hanno Böck 2007-10-24 10:14:44 UTC
Sadly the ubunut announcement doesn't state if this fix is inside the upstream release. Does anyone know details?
Comment 2 Robert Buchholz (RETIRED) 2007-10-24 11:14:34 UTC
Created attachment 134216 [details, diff] 05_locking_for_compiz.patch The bug is here: https://launchpad.net/bugs/145123 The patch is attached.
Comment 3 Lubomir Rintel 2007-10-25 23:23:01 UTC
Seems like Ubuntu fixed it in wrong place anyway https://bugzilla.redhat.com/show_bug.cgi?id=350271
Comment 4 Robert Buchholz (RETIRED) 2007-11-05 22:52:10 UTC
(In reply to comment #3) > Seems like Ubuntu fixed it in wrong place anyway > https://bugzilla.redhat.com/show_bug.cgi?id=350271 Lubomir, there's no movement on the RH bug. Do you have a patch for compiz?
Comment 5 Robert Buchholz (RETIRED) 2007-11-06 00:00:12 UTC
Created attachment 135282 [details, diff] compiz-0.6.2-CVE-2007-3920.patch
Comment 6 Robert Buchholz (RETIRED) 2007-11-06 00:00:35 UTC
Created attachment 135284 [details, diff] beryl-core-0.2.1-CVE-2007-3920.patch
Comment 7 Robert Buchholz (RETIRED) 2007-11-06 00:07:26 UTC
Seems I asked too early, Ubuntu fixed this on the compiz side: http://www.ubuntu.com/usn/usn-537-2 Attached are the patch for Compiz, which applies cleanly, and a patch for beryl-core, which needed some changes. Hanno, Tsunam: Can you please test and apply the patch, check with upstream and advise whether Compiz Fusion or any other *compiz* ebuild is affected by this?
Comment 8 Hanno Böck 2007-11-06 01:08:52 UTC
I've committed compiz-0.6.2 with the patch. Beryl is outdated, I've asked tsunam and removed it, with updates to the corresponding cf-stuff. I think this should be everything?
Comment 9 Robert Buchholz (RETIRED) 2007-11-06 01:17:41 UTC
(In reply to comment #8) > I've committed compiz-0.6.2 with the patch. Beryl is outdated, I've asked > tsunam and removed it, with updates to the corresponding cf-stuff. Uhh.. no last-rites? > I think this should be everything? My guess would be that Compiz fusion is also affected, but I didn't dig through the code there. Can you advise on that?
Comment 10 Hanno Böck 2007-11-06 09:46:08 UTC
No last rites, because mainly berly to compiz-fusion-transition is a renaming of various packages. All beryl stuff has it's equivalent in the compiz/cf-world. About the issue affecting cf: I don't think there is anything, because cf is not a wm/compositemanager itself. It's just a set of plugins and tools around compiz, as this fix affects the core, there shouldn't be any issues left.
Comment 11 Robert Buchholz (RETIRED) 2007-11-06 10:05:26 UTC
noglsa then. (In reply to comment #10) > About the issue affecting cf: I don't think there is anything, because cf is > not a wm/compositemanager itself. It's just a set of plugins and tools around > compiz, as this fix affects the core, there shouldn't be any issues left. Out of curiosity: Who provides the functionality then? If cf can replace beryl, it can't be removed totally, can it?