Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 308029 (CVE-2009-4641)

Summary: <gnome-extra/gnome-screensaver-2.30.0: screen locking circumvention (CVE-2009-{4641,4642},CVE-2010-{0285,0414,0422})
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: gnome
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://launchpad.net/bugs/411350
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---

Description Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 15:10:16 UTC 
CVE-2009-4641 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4641):
  gnome-screensaver 2.28.0 does not resume adherence to its activation
  settings after an inhibiting application becomes unavailable on the
  session bus, which allows physically proximate attackers to access an
  unattended workstation on which screen locking had been intended.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 15:10:47 UTC 
Please provide an updated ebuild.
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 15:12:03 UTC 
... or tell me if 2.28.3 is ok to go stable?
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 15:47:43 UTC 
CVE-2009-4642 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4642):
  gnome-screensaver 2.26.1 relies on the gnome-session D-Bus interface
  to determine session idle time, even when an Xfce desktop such as
  Xubuntu or Mythbuntu is used, which allows physically proximate
  attackers to access an unattended workstation on which screen locking
  had been intended.

CVE-2010-0285 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0285):
  gnome-screensaver 2.14.3, 2.22.2, 2.27.x, 2.28.0, and 2.28.3, when
  the X configuration enables the extend screen option, allows
  physically proximate attackers to bypass screen locking, access an
  unattended workstation, and view half of the GNOME desktop by
  attaching an external monitor.

CVE-2010-0414 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0414):
  gnome-screensaver before 2.28.2 allows physically proximate attackers
  to bypass screen locking and access an unattended workstation by
  moving the mouse position to an external monitor and then
  disconnecting that monitor.

CVE-2010-0422 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0422):
  gnome-screensaver 2.28.x before 2.28.3 does not properly synchronize
  the state of screen locking and the unlock dialog in situations
  involving a change to the number of monitors, which allows physically
  proximate attackers to bypass screen locking and access an unattended
  workstation by connecting and disconnecting monitors multiple times,
  a related issue to CVE-2010-0414.
Comment 4 Gilles Dartiguelongue (RETIRED) gentoo-dev 2010-03-07 15:06:11 UTC 
2.28.3 should be fine to go stable, it fixes a couple of problems I had with g-s in preceeding versions so I think it'll be a welcome upgrade anyway.
Comment 5 Pacho Ramos gentoo-dev 2010-03-07 17:59:52 UTC 
(In reply to comment #4)
> 2.28.3 should be fine to go stable, it fixes a couple of problems I had with
> g-s in preceeding versions so I think it'll be a welcome upgrade anyway.
> 

+1

It works ok for me with gnome 2.26, OK with adding arches?
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-07 18:07:00 UTC 
Someone should check if that version fixes all the CVEs first.
Comment 7 Pacho Ramos gentoo-dev 2011-03-06 13:20:10 UTC 
We have 2.30 stabilized
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2011-03-06 19:45:45 UTC 
(In reply to comment #7)
> We have 2.30 stabilized
> 

Thanks, Pacho.

GLSA Vote: no.
Comment 9 Pierre-Yves Rofes (RETIRED) gentoo-dev 2011-10-08 22:02:46 UTC 
voting no too, and closing.