| Summary: | gnome-extra/gnome-screensaver <2.20.0-r3 Network authentication lock loss (CVE-2008-0887) | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> | ||||||||
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||||
| Status: | RESOLVED FIXED | ||||||||||
| Severity: | normal | CC: | gnome | ||||||||
| Priority: | High | ||||||||||
| Version: | unspecified | ||||||||||
| Hardware: | All | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | B3 [glsa] | ||||||||||
| Package list: | Runtime testing required: | --- | |||||||||
| Attachments: |
|
||||||||||
Mart, Saleem, this issue is under embargo until 2008-04-02. Do not commit anything to CVS until this date. Please prepare an updated ebuild and attach it to this bug, we will do prestable testing here. Thanks. Created attachment 146599 [details, diff]
gnome-screensaver-CVE-2008-0887.patch
upstream patch
Created attachment 147162 [details]
gnome-screensaver-2.20.0-r3.ebuild
here is the ebuild for gnome 2.20
Created attachment 147163 [details]
gnome-screensaver-2.22.0-r1.ebuild
and the one for gnome 2.22 (which is still masked)
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug.
=gnome-extra/gnome-screensaver-2.20.0-r3
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 release sparc x86"
CC'ing current Liaisons:
alpha : ferdy
amd64 : welp
hppa : jer
ppc : dertobi123
ppc64 : corsair
release : pva
sparc : fmccor
x86 : opfer
Sparc seems to be OK. x86 happy saving lots of screens OK for HPPA. looks good on ppc64 Gilles &co, this will go public tomorrow at 14:00 UTC. You can commit after that date with the stable keywords gathered in this bug. public a little earlier, please commit. ebuilds are in CVS. Arches, please test and mark stable: =gnome-extra/gnome-screensaver-2.20.0-r3 Target keywords : "alpha amd64 hppa ia64 ppc ppc64 release sparc x86" Already stabled : "hppa ppc64 sparc x86" Missing keywords: "alpha amd64 ia64 ppc release" alpha/ia64 stable amd64 stable ppc stable GLSA vote: YES Fixed in release snapshot. Surprisingly that sounds very similar to http://www.gentoo.org/security/en/glsa/glsa-200705-14.xml Voting Yes. Let's do it This was GLSA 200804-12 |
Josh Bressers writes: We received a bug report regarding a flaw in the manner which gnome-screensaver behaves when using a network authentication scheme, and the network vanishes. The testing was done using NIS. Here is the reproducer reported via our bug: Steps to Reproduce: 1. Configure machine to be NIS server per: http://kbase.redhat.com/faq/FAQ_43_5684.shtm 2. Configure a NIS client using system-config-authentication 3. Login to GNOME desktop with NIS-only user. 4. Lock the screen 5. Stop the NIS server (customer disconnected network cable in his test) 6. Press return in lock window. Press cancel. 7. Screen unlocks with no passwd prompt. CVE-2008-0887 has been assigned to this issue.